{ "statistics": { "processing": [ { "name": "CAPE", "time": 6.671 }, { "name": "AnalysisInfo", "time": 0.036 }, { "name": "BehaviorAnalysis", "time": 0.858 }, { "name": "Debug", "time": 0.002 }, { "name": "NetworkAnalysis", "time": 0.14 }, { "name": "UrlAnalysis", "time": 0.0 }, { "name": "script_log_processing", "time": 0.0 }, { "name": "ProcessMemory", "time": 0.0 } ], "signatures": [ { "name": "packer_themida", "time": 0.0 }, { "name": "stealth_network", "time": 0.0 }, { "name": "disable_driver_via_blocklist", "time": 0.0 }, { "name": "disable_driver_via_hvcidisallowedimages", "time": 0.0 }, { "name": "disable_hypervisor_protected_code_integrity", "time": 0.0 }, { "name": "pendingfilerenameoperations_Operations", "time": 0.0 }, { "name": "anomalous_deletefile", "time": 0.0 }, { "name": "antiav_360_libs", "time": 0.0 }, { "name": "antiav_ahnlab_libs", "time": 0.0 }, { "name": "antiav_avast_libs", "time": 0.0 }, { "name": "antiav_bitdefender_libs", "time": 0.0 }, { "name": "antiav_bullguard_libs", "time": 0.0 }, { "name": "antiav_emsisoft_libs", "time": 0.0 }, { "name": "antiav_qurb_libs", "time": 0.0 }, { "name": "antiav_servicestop", "time": 0.0 }, { "name": "antiav_apioverride_libs", "time": 0.0 }, { "name": "antidebug_guardpages", "time": 0.0 }, { "name": "antidebug_ntcreatethreadex", "time": 0.0 }, { "name": "antiav_nthookengine_libs", "time": 0.0 }, { "name": "antidebug_outputdebugstring", "time": 0.0 }, { "name": "antidebug_windows", "time": 0.0 }, { "name": "antisandbox_cuckoo", "time": 0.0 }, { "name": "antisandbox_cuckoocrash", "time": 0.0 }, { "name": "antisandbox_foregroundwindows", "time": 0.0 }, { "name": "mouse_movement_detect", "time": 0.0 }, { "name": "antisandbox_sboxie_libs", "time": 0.0 }, { "name": "antisandbox_sboxie_objects", "time": 0.0 }, { "name": "antisandbox_script_timer", "time": 0.0 }, { "name": "antisandbox_sleep", "time": 0.0 }, { "name": "antisandbox_sunbelt_libs", "time": 0.0 }, { "name": "antisandbox_unhook", "time": 0.0 }, { "name": "hardware_id_profiling", "time": 0.0 }, { "name": "antivm_directory_objects", "time": 0.0 }, { "name": "antivm_display", "time": 0.0 }, { "name": "antivm_generic_disk", "time": 0.0 }, { "name": "antivm_generic_scsi", "time": 0.0 }, { "name": "antivm_generic_services", "time": 0.0 }, { "name": "antivm_generic_system", "time": 0.0 }, { "name": "antivm_checks_available_memory", "time": 0.0 }, { "name": "detect_virtualization_via_recent_files", "time": 0.0 }, { "name": "antivm_vbox_libs", "time": 0.0 }, { "name": "antivm_vmware_events", "time": 0.0 }, { "name": "antivm_vmware_libs", "time": 0.0 }, { "name": "antivm_wmi", "time": 0.0 }, { "name": "api_spamming", "time": 0.0 }, { "name": "api_uuidfromstringa", "time": 0.0 }, { "name": "bcdedit_command", "time": 0.0 }, { "name": "bootkit", "time": 0.0 }, { "name": "direct_hdd_access", "time": 0.0 }, { "name": "physical_drive_access", "time": 0.0 }, { "name": "potential_overwrite_mbr", "time": 0.0 }, { "name": "read_file_raw_disk_access", "time": 0.0 }, { "name": "suspicious_iocontrol_codes", "time": 0.0 }, { "name": "browser_needed", "time": 0.0 }, { "name": "firefox_disables_process_tab", "time": 0.0 }, { "name": "amsi_enumeration", "time": 0.0 }, { "name": "regsvr32_squiblydoo_dll_load", "time": 0.0 }, { "name": "suspicious_ntdll_disk_load", "time": 0.0 }, { "name": "direct_syscall_evasion", "time": 0.0 }, { "name": "unbacked_syscall_execution", "time": 0.0 }, { "name": "uac_bypass_cmstp", "time": 0.0 }, { "name": "uac_bypass_eventvwr", "time": 0.0 }, { "name": "uac_bypass_windows_Backup", "time": 0.0 }, { "name": "privilege_elevation_check", "time": 0.0 }, { "name": "dotnet_code_compile", "time": 0.0 }, { "name": "queries_computer_name", "time": 0.0 }, { "name": "queries_user_name", "time": 0.0 }, { "name": "creates_largekey", "time": 0.0 }, { "name": "creates_nullvalue", "time": 0.0 }, { "name": "access_windows_passwords_vault", "time": 0.0 }, { "name": "dump_lsa_via_windows_error_reporting", "time": 0.0 }, { "name": "lsass_credential_dumping", "time": 0.0 }, { "name": "critical_process", "time": 0.0 }, { "name": "query_fips_reconnaissance", "time": 0.0 }, { "name": "cryptopool_domains", "time": 0.0 }, { "name": "dead_connect", "time": 0.0 }, { "name": "dead_link", "time": 0.0 }, { "name": "decoy_document", "time": 0.0 }, { "name": "decoy_image", "time": 0.0 }, { "name": "deletes_consolehost_history", "time": 0.0 }, { "name": "deletes_shadow_copies", "time": 0.0 }, { "name": "deletes_system_state_backup", "time": 0.0 }, { "name": "dep_bypass", "time": 0.0 }, { "name": "dep_disable", "time": 0.0 }, { "name": "disables_mappeddrives_autodisconnect", "time": 0.0 }, { "name": "disables_spdy", "time": 0.0 }, { "name": "disables_wfp", "time": 0.0 }, { "name": "add_windows_defender_exclusions", "time": 0.0 }, { "name": "mountpoints_volume_discovery", "time": 0.0 }, { "name": "dll_load_uncommon_file_types", "time": 0.0 }, { "name": "dllload_suspicious_directory", "time": 0.0 }, { "name": "document_script_exe_drop", "time": 0.0 }, { "name": "driver_load", "time": 0.0 }, { "name": "install_kernel_driver_service", "time": 0.0 }, { "name": "malformed_dll_loading", "time": 0.0 }, { "name": "dynamic_function_loading", "time": 0.0 }, { "name": "encrypted_ioc", "time": 0.0 }, { "name": "registers_vectored_exception_handler", "time": 0.0 }, { "name": "exec_crash", "time": 0.0 }, { "name": "process_creation_suspicious_location", "time": 0.0 }, { "name": "exploit_getbasekerneladdress", "time": 0.0 }, { "name": "exploit_gethaldispatchtable", "time": 0.0 }, { "name": "exploit_heapspray", "time": 0.0 }, { "name": "downloads_from_filehosting", "time": 0.0 }, { "name": "generic_phish", "time": 0.0 }, { "name": "http_request", "time": 0.0 }, { "name": "infostealer_browser", "time": 0.0 }, { "name": "infostealer_browser_password", "time": 0.0 }, { "name": "infostealer_cookies", "time": 0.0 }, { "name": "captures_screenshot", "time": 0.0 }, { "name": "injection_createremotethread", "time": 0.0 }, { "name": "creates_suspended_process", "time": 0.0 }, { "name": "injection_explorer", "time": 0.0 }, { "name": "injection_module_stomping_probing", "time": 0.0 }, { "name": "injection_needextension", "time": 0.0 }, { "name": "injection_network_traffic", "time": 0.0 }, { "name": "injection_runpe", "time": 0.0 }, { "name": "injection_rwx", "time": 0.0 }, { "name": "section_mapping_injection", "time": 0.0 }, { "name": "injection_themeinitapihook", "time": 0.0 }, { "name": "apc_injection", "time": 0.0 }, { "name": "resumethread_remote_process", "time": 0.0 }, { "name": "injection_write_exe_process", "time": 0.0 }, { "name": "injection_write_process", "time": 0.0 }, { "name": "internet_dropper", "time": 0.0 }, { "name": "interprocess_comms_mutex", "time": 0.0 }, { "name": "interprocess_comms_named_pipe", "time": 0.0 }, { "name": "interprocess_comms_shared_memory", "time": 0.0 }, { "name": "escalate_privilege_via_named_pipe", "time": 0.0 }, { "name": "ipc_namedpipe", "time": 0.0 }, { "name": "js_phish", "time": 0.0 }, { "name": "js_suspicious_redirect", "time": 0.0 }, { "name": "execute_binary_via_internet_explorer_exporter", "time": 0.0 }, { "name": "execute_binary_via_run_exe_helper_utility", "time": 0.0 }, { "name": "execute_ps_via_syncappvpublishingserver", "time": 0.0 }, { "name": "malicious_dynamic_function_loading", "time": 0.0 }, { "name": "reads_memory_remote_process", "time": 0.0 }, { "name": "unbacked_exception_filter", "time": 0.0 }, { "name": "unbacked_process_mitigation_alteration", "time": 0.0 }, { "name": "thread_unbacked_memory", "time": 0.0 }, { "name": "unbacked_api_resolution", "time": 0.0 }, { "name": "unbacked_dotnet_execution", "time": 0.0 }, { "name": "unbacked_library_load", "time": 0.0 }, { "name": "unbacked_memory_apc_execution", "time": 0.0 }, { "name": "unbacked_memory_protection_alteration", "time": 0.0 }, { "name": "unbacked_mutex_creation", "time": 0.0 }, { "name": "unbacked_process_creation", "time": 0.0 }, { "name": "unbacked_veh_registration", "time": 0.0 }, { "name": "unbacked_com_instantiation", "time": 0.0 }, { "name": "unbacked_crypto_operations", "time": 0.0 }, { "name": "unbacked_delay_execution", "time": 0.0 }, { "name": "unbacked_file_dropping", "time": 0.0 }, { "name": "unbacked_process_enumeration", "time": 0.0 }, { "name": "unbacked_registry_modification", "time": 0.0 }, { "name": "unbacked_service_manipulation", "time": 0.0 }, { "name": "unbacked_token_manipulation", "time": 0.0 }, { "name": "unbacked_wmi_execution", "time": 0.0 }, { "name": "unbacked_bind_shell", "time": 0.0 }, { "name": "unbacked_dns_resolution", "time": 0.0 }, { "name": "unbacked_memory_network_connection", "time": 0.0 }, { "name": "unbacked_named_pipe_creation", "time": 0.0 }, { "name": "unbacked_useragent_retrieval", "time": 0.0 }, { "name": "mimics_filetime", "time": 0.0 }, { "name": "amsi_bypass_via_com_registry", "time": 0.0 }, { "name": "access_auto_logons_via_registry", "time": 0.0 }, { "name": "access_boot_key_via_registry", "time": 0.0 }, { "name": "create_suspicious_lnk_files", "time": 0.0 }, { "name": "credential_access_via_windows_credential_history", "time": 0.0 }, { "name": "dll_hijacking_via_microsoft_exchange", "time": 0.0 }, { "name": "dll_hijacking_via_waas_medic_svc_com_typelib", "time": 0.0 }, { "name": "execute_file_downloaded_via_openssh", "time": 0.0 }, { "name": "execute_safe_mode_from_suspicious_process", "time": 0.0 }, { "name": "execute_scripts_via_microsoft_management_console", "time": 0.0 }, { "name": "execute_suspicious_processes_via_windows_mssql_service", "time": 0.0 }, { "name": "execution_from_self_extracting_archive", "time": 0.0 }, { "name": "ip_address_discovery_via_trusted_program", "time": 0.0 }, { "name": "load_dll_via_control_panel", "time": 0.0 }, { "name": "network_connection_via_suspicious_process", "time": 0.0 }, { "name": "potential_location_discovery_via_unusual_process", "time": 0.0 }, { "name": "store_executable_registry", "time": 0.0 }, { "name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent", "time": 0.0 }, { "name": "suspicious_java_execution_via_win_scripts", "time": 0.0 }, { "name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File", "time": 0.0 }, { "name": "uses_restart_manager_for_suspicious_activities", "time": 0.0 }, { "name": "modify_desktop_wallpaper", "time": 0.0 }, { "name": "modify_zoneid_ads", "time": 0.0 }, { "name": "move_file_on_reboot", "time": 0.0 }, { "name": "multiple_useragents", "time": 0.0 }, { "name": "network_anomaly", "time": 0.0 }, { "name": "network_bind", "time": 0.0 }, { "name": "etherhiding_smart_contract_call", "time": 0.0 }, { "name": "network_cnc_https_archive", "time": 0.0 }, { "name": "network_cnc_https_free_webhosting", "time": 0.0 }, { "name": "network_cnc_https_generic", "time": 0.0 }, { "name": "network_cnc_https_interactsh", "time": 0.0 }, { "name": "network_cnc_https_opensource", "time": 0.0 }, { "name": "network_cnc_https_pastesite", "time": 0.0 }, { "name": "network_cnc_https_payload", "time": 0.0 }, { "name": "network_cnc_https_serviceinterface", "time": 0.0 }, { "name": "network_cnc_https_socialmedia", "time": 0.0 }, { "name": "network_cnc_https_telegram", "time": 0.0 }, { "name": "network_cnc_https_tempstorage", "time": 0.0 }, { "name": "network_cnc_https_temp_urldns", "time": 0.0 }, { "name": "network_cnc_https_urlshortener", "time": 0.0 }, { "name": "network_cnc_https_useragent", "time": 0.0 }, { "name": "network_cnc_smtps_exfil", "time": 0.0 }, { "name": "network_cnc_smtps_generic", "time": 0.0 }, { "name": "network_dns_idn", "time": 0.0 }, { "name": "network_dns_suspicious_querytype", "time": 0.0 }, { "name": "network_dns_tunneling_request", "time": 0.0 }, { "name": "network_document_http", "time": 0.0 }, { "name": "explorer_http", "time": 0.0 }, { "name": "network_fake_useragent", "time": 0.0 }, { "name": "legitimate_domain_abuse", "time": 0.0 }, { "name": "suspicious_communication_trusted_site", "time": 0.0 }, { "name": "network_tor", "time": 0.0 }, { "name": "office_com_load", "time": 0.0 }, { "name": "office_dotnet_load", "time": 0.0 }, { "name": "office_mshtml_load", "time": 0.0 }, { "name": "office_vb_load", "time": 0.0 }, { "name": "office_wmi_load", "time": 0.0 }, { "name": "office_cve2017_11882", "time": 0.0 }, { "name": "office_cve2017_11882_network", "time": 0.0 }, { "name": "office_cve_2021_40444", "time": 0.0 }, { "name": "office_cve_2021_40444_m2", "time": 0.0 }, { "name": "office_flash_load", "time": 0.0 }, { "name": "office_postscript", "time": 0.0 }, { "name": "office_suspicious_processes", "time": 0.0 }, { "name": "office_write_exe", "time": 0.0 }, { "name": "decompress_exe", "time": 0.0 }, { "name": "persistence_via_autodial_dll_registry", "time": 0.0 }, { "name": "persistence_autorun", "time": 0.0 }, { "name": "persistence_autorun_tasks", "time": 0.0 }, { "name": "persistence_bootexecute", "time": 0.0 }, { "name": "persistence_registry_script", "time": 0.0 }, { "name": "powershell_network_connection", "time": 0.0 }, { "name": "powershell_download", "time": 0.0 }, { "name": "powershell_request", "time": 0.0 }, { "name": "createtoolhelp32snapshot_module_enumeration", "time": 0.0 }, { "name": "enumerates_running_processes", "time": 0.0 }, { "name": "process_interest", "time": 0.0 }, { "name": "process_needed", "time": 0.0 }, { "name": "ransomware_iocp_asynchronous_encryption", "time": 0.0 }, { "name": "kernel_crypto_driver_abuse", "time": 0.0 }, { "name": "mass_data_encryption", "time": 0.0 }, { "name": "ransomware_extension_hijack", "time": 0.0 }, { "name": "mass_file_modification_access", "time": 0.0 }, { "name": "ransomware_attribute_stripping", "time": 0.0 }, { "name": "ransomware_file_modifications", "time": 0.0 }, { "name": "mass_ransom_note_drop", "time": 0.0 }, { "name": "ransomware_message", "time": 0.0 }, { "name": "reads_self", "time": 0.0 }, { "name": "recon_beacon", "time": 0.0 }, { "name": "recon_programs", "time": 0.0 }, { "name": "recon_systeminfo", "time": 0.0 }, { "name": "accesses_recyclebin", "time": 0.0 }, { "name": "script_created_process", "time": 0.0 }, { "name": "script_network_activity", "time": 0.0 }, { "name": "suspicious_js_script", "time": 0.0 }, { "name": "javascript_timer", "time": 0.0 }, { "name": "secure_login_phishing", "time": 0.0 }, { "name": "securityxploded_modules", "time": 0.0 }, { "name": "get_clipboard_data", "time": 0.0 }, { "name": "sets_autoconfig_url", "time": 0.0 }, { "name": "spoofs_procname", "time": 0.0 }, { "name": "stack_pivot", "time": 0.0 }, { "name": "stack_pivot_file_created", "time": 0.0 }, { "name": "stack_pivot_process_create", "time": 0.0 }, { "name": "set_clipboard_data", "time": 0.0 }, { "name": "stealth_childproc", "time": 0.0 }, { "name": "stealth_file", "time": 0.0 }, { "name": "stealth_system_procname", "time": 0.0 }, { "name": "stealth_timeout", "time": 0.0 }, { "name": "stealth_window", "time": 0.0 }, { "name": "queries_keyboard_layout", "time": 0.0 }, { "name": "queries_locale_api", "time": 0.0 }, { "name": "terminates_remote_process", "time": 0.0 }, { "name": "uiautomationcore_load", "time": 0.0 }, { "name": "user_enum", "time": 0.0 }, { "name": "mmc_dll_script_load", "time": 0.0 }, { "name": "mmc_dotnet_load", "time": 0.0 }, { "name": "virus", "time": 0.0 }, { "name": "webmail_phish", "time": 0.0 }, { "name": "persists_dev_util", "time": 0.0 }, { "name": "spawns_dev_util", "time": 0.0 }, { "name": "alters_windows_utility", "time": 0.0 }, { "name": "overwrites_accessibility_utility", "time": 0.0 }, { "name": "Potential_Lateral_Movement_Via_SMBEXEC", "time": 0.0 }, { "name": "potential_WebShell_Via_ScreenConnectServer", "time": 0.0 }, { "name": "uses_Microsoft_HTML_Help_Executable", "time": 0.0 }, { "name": "wiper_zeroedbytes", "time": 0.0 }, { "name": "wmi_create_process", "time": 0.0 }, { "name": "wmi_script_process", "time": 0.0 }, { "name": "antianalysis_tls_section", "time": 0.0 }, { "name": "antivirus_clamav", "time": 0.0 }, { "name": "antivirus_virustotal", "time": 0.0 }, { "name": "bad_certs", "time": 0.0 }, { "name": "bad_ssl_certs", "time": 0.0 }, { "name": "banker_zeus_p2p", "time": 0.0 }, { "name": "banker_zeus_url", "time": 0.0 }, { "name": "binary_yara", "time": 0.0 }, { "name": "bot_athenahttp", "time": 0.0 }, { "name": "bot_dirtjumper", "time": 0.0 }, { "name": "bot_drive", "time": 0.0 }, { "name": "bot_drive2", "time": 0.0 }, { "name": "bot_madness", "time": 0.0 }, { "name": "byod_loldrivers_match", "time": 0.0 }, { "name": "byod_novel_driver", "time": 0.0 }, { "name": "byod_post_load_exploitation", "time": 0.0 }, { "name": "byod_driver_service_install", "time": 0.0 }, { "name": "com_spawned_process", "time": 0.0 }, { "name": "phishing_kit_detected", "time": 0.0 }, { "name": "family_proxyback", "time": 0.0 }, { "name": "flare_capa_antianalysis", "time": 0.0 }, { "name": "flare_capa_collection", "time": 0.0 }, { "name": "flare_capa_communication", "time": 0.0 }, { "name": "flare_capa_compiler", "time": 0.0 }, { "name": "flare_capa_datamanipulation", "time": 0.0 }, { "name": "flare_capa_executable", "time": 0.0 }, { "name": "flare_capa_hostinteraction", "time": 0.0 }, { "name": "flare_capa_impact", "time": 0.0 }, { "name": "flare_capa_lib", "time": 0.0 }, { "name": "flare_capa_linking", "time": 0.0 }, { "name": "flare_capa_loadcode", "time": 0.0 }, { "name": "flare_capa_malwarefamily", "time": 0.0 }, { "name": "flare_capa_nursery", "time": 0.0 }, { "name": "flare_capa_persistence", "time": 0.0 }, { "name": "flare_capa_runtime", "time": 0.0 }, { "name": "flare_capa_targeting", "time": 0.0 }, { "name": "threatfox", "time": 0.0 }, { "name": "log4shell", "time": 0.0 }, { "name": "mimics_extension", "time": 0.0 }, { "name": "network_country_distribution", "time": 0.0 }, { "name": "network_cnc_http", "time": 0.0 }, { "name": "network_ip_exe", "time": 0.0 }, { "name": "network_dga", "time": 0.0 }, { "name": "network_dga_fraunhofer", "time": 0.0 }, { "name": "network_dyndns", "time": 0.003 }, { "name": "network_excessive_udp", "time": 0.0 }, { "name": "network_http", "time": 0.0 }, { "name": "network_icmp", "time": 0.0 }, { "name": "network_irc", "time": 0.0 }, { "name": "network_open_proxy", "time": 0.0 }, { "name": "network_questionable_http_path", "time": 0.0 }, { "name": "network_questionable_https_path", "time": 0.0 }, { "name": "network_smtp", "time": 0.0 }, { "name": "network_torgateway", "time": 0.001 }, { "name": "origin_langid", "time": 0.0 }, { "name": "origin_resource_langid", "time": 0.0 }, { "name": "overlay", "time": 0.0 }, { "name": "pe_deep_entrypoint", "time": 0.0 }, { "name": "packer_unknown_pe_section_name", "time": 0.0 }, { "name": "packer_aspack", "time": 0.0 }, { "name": "packer_aspirecrypt", "time": 0.0 }, { "name": "packer_bedsprotector", "time": 0.0 }, { "name": "packer_confuser", "time": 0.0 }, { "name": "packer_enigma", "time": 0.0 }, { "name": "packer_entropy", "time": 0.0 }, { "name": "packer_mpress", "time": 0.0 }, { "name": "packer_nate", "time": 0.0 }, { "name": "packer_nspack", "time": 0.0 }, { "name": "packer_smartassembly", "time": 0.0 }, { "name": "packer_spices", "time": 0.0 }, { "name": "packer_themida", "time": 0.0 }, { "name": "packer_titan", "time": 0.0 }, { "name": "packer_upx", "time": 0.0 }, { "name": "packer_vmprotect", "time": 0.0 }, { "name": "packer_yoda", "time": 0.0 }, { "name": "pdf_annot_urls_checker", "time": 0.0 }, { "name": "pe_cert_invalid_signature", "time": 0.0 }, { "name": "pe_cert_self_signed", "time": 0.0 }, { "name": "pe_cert_suspicious_issuer", "time": 0.0 }, { "name": "polymorphic", "time": 0.0 }, { "name": "punch_plus_plus_pcres", "time": 0.0 }, { "name": "procmem_yara", "time": 0.0 }, { "name": "recon_checkip", "time": 0.0 }, { "name": "sigma_events", "time": 0.0 }, { "name": "static_authenticode", "time": 0.0 }, { "name": "invalid_authenticode_signature", "time": 0.0 }, { "name": "static_dotnet_anomaly", "time": 0.0 }, { "name": "static_java", "time": 0.0 }, { "name": "static_pdf", "time": 0.0 }, { "name": "contains_pe_overlay", "time": 0.0 }, { "name": "static_pe_anomaly", "time": 0.0 }, { "name": "pe_compile_timestomping", "time": 0.0 }, { "name": "static_pe_pdbpath", "time": 0.0 }, { "name": "static_rat_config", "time": 0.0 }, { "name": "static_versioninfo_anomaly", "time": 0.0 }, { "name": "browser_credential_theft_headless", "time": 0.0 }, { "name": "suricata_alert", "time": 0.0 }, { "name": "suspicious_html_body", "time": 0.0 }, { "name": "suspicious_html_name", "time": 0.0 }, { "name": "suspicious_html_title", "time": 0.0 }, { "name": "volatility_devicetree_1", "time": 0.0 }, { "name": "volatility_handles_1", "time": 0.0 }, { "name": "volatility_ldrmodules_1", "time": 0.0 }, { "name": "volatility_ldrmodules_2", "time": 0.0 }, { "name": "volatility_malfind_1", "time": 0.0 }, { "name": "volatility_malfind_2", "time": 0.0 }, { "name": "volatility_modscan_1", "time": 0.0 }, { "name": "volatility_svcscan_1", "time": 0.0 }, { "name": "volatility_svcscan_2", "time": 0.0 }, { "name": "volatility_svcscan_3", "time": 0.0 }, { "name": "whois_create", "time": 0.0 }, { "name": "accesses_mailslot", "time": 0.0 }, { "name": "accesses_netlogon_regkey", "time": 0.002 }, { "name": "accesses_public_folder", "time": 0.0 }, { "name": "accesses_sysvol", "time": 0.0 }, { "name": "writes_sysvol", "time": 0.0 }, { "name": "adds_admin_user", "time": 0.0 }, { "name": "adds_user", "time": 0.0 }, { "name": "overwrites_admin_password", "time": 0.0 }, { "name": "antianalysis_detectfile", "time": 0.004 }, { "name": "antianalysis_detectreg", "time": 0.284 }, { "name": "modify_attachment_manager", "time": 0.0 }, { "name": "antiav_detectfile", "time": 0.007 }, { "name": "antiav_detectreg", "time": 1.32 }, { "name": "antiav_srp", "time": 0.0 }, { "name": "antiav_whitespace", "time": 0.0 }, { "name": "antidebug_devices", "time": 0.001 }, { "name": "antiemu_windefend", "time": 0.001 }, { "name": "antiemu_wine_reg", "time": 0.0 }, { "name": "antisandbox_cuckoo_files", "time": 0.0 }, { "name": "antisandbox_fortinet_files", "time": 0.0 }, { "name": "antisandbox_joe_anubis_files", "time": 0.0 }, { "name": "antisandbox_sboxie_mutex", "time": 0.0 }, { "name": "antisandbox_sunbelt_files", "time": 0.0 }, { "name": "antisandbox_threattrack_files", "time": 0.0 }, { "name": "antivm_bochs_keys", "time": 0.022 }, { "name": "antivm_generic_bios", "time": 0.017 }, { "name": "antivm_generic_diskreg", "time": 0.049 }, { "name": "antivm_hyperv_keys", "time": 0.022 }, { "name": "antivm_parallels_keys", "time": 0.068 }, { "name": "antivm_recentdocs", "time": 0.0 }, { "name": "antivm_vbox_devices", "time": 0.001 }, { "name": "antivm_vbox_files", "time": 0.003 }, { "name": "antivm_vbox_keys", "time": 0.154 }, { "name": "antivm_vmware_devices", "time": 0.0 }, { "name": "antivm_vmware_files", "time": 0.002 }, { "name": "antivm_vmware_keys", "time": 0.11 }, { "name": "antivm_vmware_mutexes", "time": 0.0 }, { "name": "antivm_vpc_files", "time": 0.0 }, { "name": "antivm_vpc_keys", "time": 0.044 }, { "name": "antivm_vpc_mutex", "time": 0.0 }, { "name": "antivm_xen_keys", "time": 0.065 }, { "name": "ketrican_regkeys", "time": 0.009 }, { "name": "bitcoin_opencl", "time": 0.0 }, { "name": "enumerates_physical_drives", "time": 0.0 }, { "name": "bot_russkill", "time": 0.0 }, { "name": "browser_addon", "time": 0.0 }, { "name": "chromium_browser_extension_directory", "time": 0.0 }, { "name": "browser_helper_object", "time": 0.0 }, { "name": "browser_security", "time": 0.001 }, { "name": "browser_startpage", "time": 0.0 }, { "name": "executes_headless_browser", "time": 0.0 }, { "name": "suspicious_browser_arguments", "time": 0.001 }, { "name": "ie_disables_process_tab", "time": 0.0 }, { "name": "odbcconf_bypass", "time": 0.0 }, { "name": "squiblydoo_bypass", "time": 0.0 }, { "name": "squiblytwo_bypass", "time": 0.0 }, { "name": "bypass_chromium_protection", "time": 0.0 }, { "name": "bypass_firewall", "time": 0.022 }, { "name": "checks_uac_status", "time": 0.003 }, { "name": "uac_bypass_cmstpcom", "time": 0.0 }, { "name": "uac_bypass_delegateexecute_sdclt", "time": 0.0 }, { "name": "uac_bypass_fodhelper", "time": 0.0 }, { "name": "cape_extracted_content", "time": 0.0 }, { "name": "clears_logs", "time": 0.0 }, { "name": "cmdline_obfuscation", "time": 0.0 }, { "name": "cmdline_switches", "time": 0.0 }, { "name": "cmdline_terminate", "time": 0.0 }, { "name": "cmdline_forfiles_wildcard", "time": 0.0 }, { "name": "cmdline_http_link", "time": 0.0 }, { "name": "cmdline_long_string", "time": 0.0 }, { "name": "cmdline_reversed_http_link", "time": 0.0 }, { "name": "long_commandline", "time": 0.0 }, { "name": "powershell_renamed_commandline", "time": 0.0 }, { "name": "copies_self", "time": 0.0 }, { "name": "credwiz_credentialaccess", "time": 0.0 }, { "name": "enables_wdigest", "time": 0.0 }, { "name": "vaultcmd_credentialaccess", "time": 0.0 }, { "name": "file_credential_store_access", "time": 0.001 }, { "name": "file_credential_store_write", "time": 0.0 }, { "name": "kerberos_credential_access_via_rubeus", "time": 0.0 }, { "name": "registry_credential_dumping", "time": 0.0 }, { "name": "registry_credential_store_access", "time": 0.004 }, { "name": "registry_lsa_secrets_access", "time": 0.002 }, { "name": "comsvcs_credentialdump", "time": 0.0 }, { "name": "cryptomining_stratum_command", "time": 0.0 }, { "name": "deepfreeze_mutex", "time": 0.0 }, { "name": "deletes_executed_files", "time": 0.0 }, { "name": "disables_app_launch", "time": 0.0 }, { "name": "disables_auto_app_termination", "time": 0.0 }, { "name": "disables_appv_virtualization", "time": 0.0 }, { "name": "disables_backups", "time": 0.001 }, { "name": "disables_browser_warn", "time": 0.001 }, { "name": "disables_context_menus", "time": 0.0 }, { "name": "disables_cpl_disable", "time": 0.0 }, { "name": "disables_crashdumps", "time": 0.0 }, { "name": "disables_event_logging", "time": 0.0 }, { "name": "disables_folder_options", "time": 0.0 }, { "name": "disables_notificationcenter", "time": 0.0 }, { "name": "disables_power_options", "time": 0.001 }, { "name": "disables_restore_default_state", "time": 0.0 }, { "name": "disables_run_command", "time": 0.0 }, { "name": "disables_smartscreen", "time": 0.0 }, { "name": "disables_startmenu_search", "time": 0.0 }, { "name": "disables_system_restore", "time": 0.0 }, { "name": "disables_uac", "time": 0.0 }, { "name": "disables_wer", "time": 0.0 }, { "name": "disables_windows_defender", "time": 0.0 }, { "name": "disables_windows_defender_logging", "time": 0.0 }, { "name": "removes_windows_defender_contextmenu", "time": 0.0 }, { "name": "removes_windows_defender_updates", "time": 0.0 }, { "name": "windows_defender_powershell", "time": 0.0 }, { "name": "disables_windows_file_protection", "time": 0.0 }, { "name": "disables_windowsupdate", "time": 0.0 }, { "name": "disables_winfirewall", "time": 0.0 }, { "name": "folder_enumeration", "time": 0.001 }, { "name": "discover_registry_mount_points", "time": 0.003 }, { "name": "adfind_domain_enumeration", "time": 0.0 }, { "name": "domain_enumeration_commands", "time": 0.0 }, { "name": "driver_filtermanager", "time": 0.0 }, { "name": "dropper", "time": 0.0 }, { "name": "dll_archive_execution", "time": 0.0 }, { "name": "lnk_archive_execution", "time": 0.0 }, { "name": "script_archive_execution", "time": 0.0 }, { "name": "excel4_macro_urls", "time": 0.0 }, { "name": "escalate_privilege_via_ntlm_relay", "time": 0.0 }, { "name": "spooler_access", "time": 0.0 }, { "name": "spooler_svc_start", "time": 0.0 }, { "name": "mapped_drives_uac", "time": 0.0 }, { "name": "hides_recycle_bin_icon", "time": 0.0 }, { "name": "infostealer_bitcoin", "time": 0.004 }, { "name": "infostealer_ftp", "time": 0.443 }, { "name": "infostealer_im", "time": 0.248 }, { "name": "infostealer_mail", "time": 0.069 }, { "name": "Evade_Execution_Via_ASPNet_Compiler", "time": 0.0 }, { "name": "Evade_Execute_Via_DeviceCredentialDeployment", "time": 0.0 }, { "name": "Evade_Execution_Via_Filter_Manager_Control", "time": 0.0 }, { "name": "Evade_Execution_Via_Intel_GFXDownloadWrapper", "time": 0.0 }, { "name": "execute_binary_via_appvlp", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_OpenSSH", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_PesterPSModule", "time": 0.0 }, { "name": "Execute_Binary_Via_ScriptRunner", "time": 0.0 }, { "name": "execute_binary_via_ttdinject", "time": 0.0 }, { "name": "Execute_Binary_Via_VisualStudioLiveShare", "time": 0.0 }, { "name": "Execute_Msiexec_Via_Explorer", "time": 0.0 }, { "name": "execute_remote_msi", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_runscripthelper", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_sqlps", "time": 0.0 }, { "name": "Indirect_Command_Execution_Via_ConsoleWindowHost", "time": 0.0 }, { "name": "Perform_Malicious_Activities_Via_Headless_Browser", "time": 0.0 }, { "name": "Register_DLL_Via_CertOC", "time": 0.0 }, { "name": "Register_DLL_Via_MSIEXEC", "time": 0.0 }, { "name": "Register_DLL_Via_Odbcconf", "time": 0.0 }, { "name": "Scriptlet_Proxy_Execution_Via_Pubprn", "time": 0.0 }, { "name": "ie_martian_children", "time": 0.0 }, { "name": "office_martian_children", "time": 0.0 }, { "name": "mimics_icon", "time": 0.0 }, { "name": "masquerade_process_name", "time": 0.009 }, { "name": "mimikatz_modules", "time": 0.0 }, { "name": "ms_office_cmd_rce", "time": 0.0 }, { "name": "mount_copy_to_webdav_share", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_legit_utilities", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_qemu", "time": 0.0 }, { "name": "suspicious_execution_via_dotnet_remoting", "time": 0.0 }, { "name": "modify_certs", "time": 0.0 }, { "name": "dotnet_clr_usagelog_regkeys", "time": 0.0 }, { "name": "modify_hostfile", "time": 0.0 }, { "name": "modify_oem_information", "time": 0.0 }, { "name": "modify_security_center_warnings", "time": 0.0 }, { "name": "modify_uac_prompt", "time": 0.0 }, { "name": "network_dns_blockchain", "time": 0.0 }, { "name": "network_dns_opennic", "time": 0.001 }, { "name": "network_dns_paste_site", "time": 0.001 }, { "name": "network_dns_reverse_proxy", "time": 0.0 }, { "name": "network_dns_temp_file_storage", "time": 0.001 }, { "name": "network_dns_temp_urldns", "time": 0.0 }, { "name": "network_dns_url_shortener", "time": 0.006 }, { "name": "network_dns_doh_tls", "time": 0.0 }, { "name": "suspicious_tld", "time": 0.005 }, { "name": "network_tor_service", "time": 0.0 }, { "name": "office_code_page", "time": 0.0 }, { "name": "office_addinloading", "time": 0.0 }, { "name": "office_perfkey", "time": 0.0 }, { "name": "office_macro", "time": 0.0 }, { "name": "changes_trust_center_settings", "time": 0.0 }, { "name": "disables_vba_trust_access", "time": 0.0 }, { "name": "office_macro_autoexecution", "time": 0.0 }, { "name": "office_macro_ioc", "time": 0.0 }, { "name": "office_macro_malicious_prediction", "time": 0.0 }, { "name": "office_macro_suspicious", "time": 0.0 }, { "name": "rtf_aslr_bypass", "time": 0.0 }, { "name": "rtf_anomaly_characterset", "time": 0.0 }, { "name": "rtf_anomaly_version", "time": 0.0 }, { "name": "rtf_embedded_content", "time": 0.0 }, { "name": "rtf_embedded_office_file", "time": 0.0 }, { "name": "rtf_exploit_static", "time": 0.0 }, { "name": "office_security", "time": 0.0 }, { "name": "accesses_office_username", "time": 0.002 }, { "name": "office_anomalous_feature", "time": 0.0 }, { "name": "office_dde_command", "time": 0.0 }, { "name": "packer_armadillo_mutex", "time": 0.0 }, { "name": "packer_armadillo_regkey", "time": 0.003 }, { "name": "persistence_ads", "time": 0.0 }, { "name": "persistence_safeboot", "time": 0.0 }, { "name": "persistence_ifeo", "time": 0.0 }, { "name": "persistence_silent_process_exit", "time": 0.0 }, { "name": "persistence_rdp_registry", "time": 0.0 }, { "name": "persistence_rdp_shadowing", "time": 0.0 }, { "name": "persistence_service", "time": 0.0 }, { "name": "persistence_shim_database", "time": 0.0 }, { "name": "powershell_scriptblock_logging", "time": 0.0 }, { "name": "powershell_command_suspicious", "time": 0.0 }, { "name": "powershell_history_save_mod", "time": 0.0 }, { "name": "powershell_renamed", "time": 0.0 }, { "name": "powershell_reversed", "time": 0.0 }, { "name": "powershell_variable_obfuscation", "time": 0.0 }, { "name": "prevents_safeboot", "time": 0.0 }, { "name": "cmdline_process_discovery", "time": 0.0 }, { "name": "ransomware_extensions_generic", "time": 0.0 }, { "name": "ransomware_extensions_known", "time": 0.008 }, { "name": "ransomware_files", "time": 0.011 }, { "name": "ransomware_recyclebin", "time": 0.0 }, { "name": "ransomware_revil_regkey", "time": 0.0 }, { "name": "reads_password_database", "time": 0.0 }, { "name": "recon_fingerprint", "time": 0.012 }, { "name": "rdptcp_key", "time": 0.0 }, { "name": "uses_rdp_clip", "time": 0.0 }, { "name": "uses_remote_desktop_session", "time": 0.0 }, { "name": "removes_networking_icon", "time": 0.0 }, { "name": "removes_pinned_programs", "time": 0.0 }, { "name": "removes_security_maintenance_icon", "time": 0.0 }, { "name": "removes_startmenu_defaults", "time": 0.001 }, { "name": "removes_username_startmenu", "time": 0.0 }, { "name": "sniffer_winpcap", "time": 0.001 }, { "name": "spreading_autoruninf", "time": 0.0 }, { "name": "stealth_hidden_extension", "time": 0.0 }, { "name": "stealth_hiddenreg", "time": 0.001 }, { "name": "stealth_hide_notifications", "time": 0.0 }, { "name": "stealth_webhistory", "time": 0.0 }, { "name": "sysinternals_psexec", "time": 0.0 }, { "name": "sysinternals_tools", "time": 0.0 }, { "name": "language_check_registry", "time": 0.0 }, { "name": "tampers_etw", "time": 0.001 }, { "name": "lsa_tampering", "time": 0.0 }, { "name": "tampers_powershell_logging", "time": 0.0 }, { "name": "territorial_disputes_sigs", "time": 0.431 }, { "name": "uses_adfind", "time": 0.0 }, { "name": "uses_ms_protocol", "time": 0.0 }, { "name": "owa_web_shell_files", "time": 0.0 }, { "name": "web_shell_files", "time": 0.0 }, { "name": "web_shell_processes", "time": 0.0 }, { "name": "dotnet_csc_build", "time": 0.0 }, { "name": "mavinject_lolbin", "time": 0.0 }, { "name": "multiple_explorer_instances", "time": 0.0 }, { "name": "script_tool_executed", "time": 0.0 }, { "name": "suspicious_certutil_use", "time": 0.0 }, { "name": "suspicious_command_tools", "time": 0.002 }, { "name": "suspicious_mpcmdrun_use", "time": 0.0 }, { "name": "suspicious_ping_use", "time": 0.0 }, { "name": "uses_powershell_copyitem", "time": 0.0 }, { "name": "uses_windows_utilities", "time": 0.003 }, { "name": "uses_windows_utilities_appcmd", "time": 0.0 }, { "name": "uses_windows_utilities_csvde_ldifde", "time": 0.0 }, { "name": "uses_windows_utilities_cipher", "time": 0.0 }, { "name": "uses_windows_utilities_clickonce", "time": 0.0 }, { "name": "uses_windows_utilities_curl", "time": 0.0 }, { "name": "uses_windows_utilities_dsquery", "time": 0.0 }, { "name": "uses_windows_utilities_esentutl", "time": 0.0 }, { "name": "uses_windows_utilities_finger", "time": 0.0 }, { "name": "uses_windows_utilities_mode", "time": 0.0 }, { "name": "uses_windows_utilities_ntdsutil", "time": 0.0 }, { "name": "uses_windows_utilities_nltest", "time": 0.0 }, { "name": "uses_windows_utilities_setx", "time": 0.0 }, { "name": "uses_windows_utilities_xcopy", "time": 0.0 }, { "name": "wmic_command_suspicious", "time": 0.0 }, { "name": "scrcons_wmi_script_consumer", "time": 0.0 } ], "reporting": [ { "name": "BinGraph", "time": 0.0 } ] }, "target": { "category": "file", "file": { "name": "invoice_231836298371.exe", "path": "/opt/CAPEv2/storage/binaries/69e966e730557fde8fd84317cdef1ece00a8bb3470c0b58f3231e170168af169", "guest_paths": "", "size": 252928, "crc32": "B6012D5E", "md5": "ea039a854d20d7734c5add48f1a51c34", "sha1": "9615dca4c0e46b8a39de5428af7db060399230b2", "sha256": "69e966e730557fde8fd84317cdef1ece00a8bb3470c0b58f3231e170168af169", "sha512": "6718e54a59b91537c41ac913f9d8d6ad97b08cf6a61a4d174458738579a33471ef357173fd9eb4d4c9652ed2bf86c41f6da3cdd20fd7af643cd9f5ee6c9e30d5", "rh_hash": null, "ssdeep": "6144:Tz/LBBTHT+7oEf2ZstxQMSGToLoOhD2saLsW8fsmFBkObjD:PLBdy7FpQMlToThD+sW8fsmP7bj", "type": "PE32 executable (GUI) Intel 80386, for MS Windows", "yara": [], "cape_yara": [], "clamav": [], "tlsh": "T1EB34AE19544A1133F0EAEDFEB1BEBF7168CA8BF621F5064174021DF89961E2A372D1B1", "sha3_384": "196a0eb43f6ecefb6ffdb0eef9782ada2cba91e50f342ccd8a6cc95f632d4843898683af668444fedb53e03d665e21b6", "yara_hash": "68e243d1d9aeb1f1e94057af9823c58e140832514ed3e7b46b181bf94e4e12ce", "options_hash": "b7818797508282994ea72592ded64b364725c9400a38d418189579c94a89385e", "pe": { "guest_signers": { "aux_sha1": null, "aux_timestamp": null, "aux_valid": false, "aux_error": true, "aux_error_desc": "File not found: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\95\\invoice_231836298371.exe", "aux_signers": [] }, "digital_signers": [], "imagebase": "0x00400000", "entrypoint": "0x0000a3b6", "ep_bytes": "558bec83e4f883ec7ca194fc40008b0d", "peid_signatures": null, "reported_checksum": "0x0004cf27", "actual_checksum": "0x0004cf27", "osversion": "5.1", "machine_type": "IMAGE_FILE_MACHINE_I386", "pdbpath": null, "imports": { "SHLWAPI": { "dll": "SHLWAPI.dll", "imports": [ { "address": "0x420078", "name": "PathRemoveArgsA" }, { "address": "0x42007c", "name": "StrCmpNIA" }, { "address": "0x420080", "name": "PathMatchSpecW" }, { "address": "0x420084", "name": "IsCharSpaceA" }, { "address": "0x420088", "name": "PathMakeSystemFolderA" }, { "address": "0x42008c", "name": "PathIsRelativeA" }, { "address": "0x420090", "name": "PathIsSameRootA" }, { "address": "0x420094", "name": "PathParseIconLocationW" }, { "address": "0x420098", "name": "PathIsUNCServerA" }, { "address": "0x4200a0", "name": "ChrCmpIW" }, { "address": "0x4200a4", "name": "PathAddExtensionW" }, { "address": "0x4200a8", "name": "PathCombineW" }, { "address": "0x4200ac", "name": "PathQuoteSpacesA" }, { "address": "0x4200b4", "name": "PathIsRootW" }, { "address": "0x4200bc", "name": "PathRenameExtensionA" }, { "address": "0x4200c0", "name": "PathIsPrefixA" }, { "address": "0x4200c4", "name": "PathRelativePathToW" }, { "address": "0x4200c8", "name": "ChrCmpIA" } ] }, "KERNEL32": { "dll": "KERNEL32.dll", "imports": [ { "address": "0x420000", "name": "GetPrivateProfileIntW" }, { "address": "0x420004", "name": "LocalFree" }, { "address": "0x420008", "name": "WinExec" }, { "address": "0x42000c", "name": "DeleteCriticalSection" }, { "address": "0x420010", "name": "GetUserDefaultUILanguage" }, { "address": "0x420014", "name": "FindNextFileA" }, { "address": "0x420018", "name": "GetOEMCP" }, { "address": "0x42001c", "name": "SetCurrentDirectoryW" }, { "address": "0x420020", "name": "LocalAlloc" }, { "address": "0x420024", "name": "CreateFileMappingA" }, { "address": "0x420028", "name": "GetCompressedFileSizeA" }, { "address": "0x42002c", "name": "GetEnvironmentVariableA" }, { "address": "0x420030", "name": "GetConsoleAliasExesLengthW" }, { "address": "0x420034", "name": "SizeofResource" }, { "address": "0x420038", "name": "GetDriveTypeA" }, { "address": "0x42003c", "name": "WriteFile" }, { "address": "0x420040", "name": "VirtualQueryEx" }, { "address": "0x420044", "name": "IsBadReadPtr" }, { "address": "0x420048", "name": "GetCurrentThread" }, { "address": "0x42004c", "name": "GetTickCount" }, { "address": "0x420050", "name": "LocalUnlock" }, { "address": "0x420054", "name": "GetEnvironmentVariableW" }, { "address": "0x420058", "name": "GetSystemDefaultUILanguage" }, { "address": "0x42005c", "name": "FreeLibrary" }, { "address": "0x420060", "name": "GlobalAddAtomA" }, { "address": "0x420064", "name": "HeapFree" }, { "address": "0x420068", "name": "GetLogicalDrives" }, { "address": "0x42006c", "name": "GetSystemDefaultLCID" }, { "address": "0x420070", "name": "GetModuleHandleW" } ] }, "USER32": { "dll": "USER32.dll", "imports": [ { "address": "0x4200d0", "name": "CallWindowProcW" }, { "address": "0x4200d4", "name": "GetProcessDefaultLayout" }, { "address": "0x4200d8", "name": "UpdateWindow" }, { "address": "0x4200dc", "name": "GetClipboardOwner" }, { "address": "0x4200e0", "name": "AppendMenuA" }, { "address": "0x4200e4", "name": "GetCaretPos" }, { "address": "0x4200e8", "name": "GetSysColor" }, { "address": "0x4200ec", "name": "DestroyCursor" }, { "address": "0x4200f0", "name": "GetClipboardData" }, { "address": "0x4200f4", "name": "GetScrollInfo" }, { "address": "0x4200f8", "name": "FlashWindowEx" }, { "address": "0x4200fc", "name": "GetAsyncKeyState" }, { "address": "0x420100", "name": "SetLastErrorEx" }, { "address": "0x420104", "name": "InflateRect" }, { "address": "0x420108", "name": "GetCapture" }, { "address": "0x42010c", "name": "EnumClipboardFormats" }, { "address": "0x420110", "name": "ShowCaret" }, { "address": "0x420114", "name": "CopyAcceleratorTableA" }, { "address": "0x420118", "name": "IsWindowEnabled" }, { "address": "0x42011c", "name": "DdeQueryNextServer" }, { "address": "0x420120", "name": "LoadBitmapA" }, { "address": "0x420124", "name": "DeleteMenu" }, { "address": "0x420128", "name": "HideCaret" }, { "address": "0x42012c", "name": "GetWindowTextLengthW" }, { "address": "0x420130", "name": "SwapMouseButton" }, { "address": "0x420134", "name": "VkKeyScanA" }, { "address": "0x420138", "name": "AllowSetForegroundWindow" } ] } }, "exported_dll_name": null, "exports": [], "dirents": [ { "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "virtual_address": "0x0003316c", "size": "0x00001152" }, { "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "virtual_address": "0x00020140", "size": "0x00000050" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "virtual_address": "0x00039000", "size": "0x000058f2" }, { "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "virtual_address": "0x0003f000", "size": "0x00001354" }, { "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_TLS", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IAT", "virtual_address": "0x00020000", "size": "0x00000140" }, { "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "virtual_address": "0x00000000", "size": "0x00000000" } ], "sections": [ { "name": ".text", "raw_address": "0x00000400", "virtual_address": "0x00001000", "virtual_size": "0x0000b571", "size_of_data": "0x0000b600", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x60000020", "entropy": "6.71" }, { "name": ".data", "raw_address": "0x0000ba00", "virtual_address": "0x0000d000", "virtual_size": "0x000128b1", "size_of_data": "0x00012a00", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "6.13" }, { "name": ".itext", "raw_address": "0x0001e400", "virtual_address": "0x00020000", "virtual_size": "0x0000084d", "size_of_data": "0x00000a00", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "4.82" }, { "name": ".pdata", "raw_address": "0x0001ee00", "virtual_address": "0x00021000", "virtual_size": "0x00017cbe", "size_of_data": "0x00017e00", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xe0000020", "entropy": "6.77" }, { "name": ".rsrc", "raw_address": "0x00036c00", "virtual_address": "0x00039000", "virtual_size": "0x000058f2", "size_of_data": "0x00005a00", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "6.14" }, { "name": ".reloc", "raw_address": "0x0003c600", "virtual_address": "0x0003f000", "virtual_size": "0x000015ec", "size_of_data": "0x00001600", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "6.44" } ], "overlay": null, "resources": [ { "name": "RT_CURSOR", "offset": "0x00039250", "size": "0x0000074c", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.86" }, { "name": "RT_CURSOR", "offset": "0x0003999c", "size": "0x000008b4", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.11" }, { "name": "RT_CURSOR", "offset": "0x0003a250", "size": "0x000009cc", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.16" }, { "name": "RT_CURSOR", "offset": "0x0003ac1c", "size": "0x000007fc", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.90" }, { "name": "RT_CURSOR", "offset": "0x0003b418", "size": "0x000007fc", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.99" }, { "name": "RT_CURSOR", "offset": "0x0003bc14", "size": "0x00000b6c", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.93" }, { "name": "RT_CURSOR", "offset": "0x0003c780", "size": "0x000008b4", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.94" }, { "name": "RT_CURSOR", "offset": "0x0003d034", "size": "0x0000074c", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.87" }, { "name": "RT_CURSOR", "offset": "0x0003d780", "size": "0x000007fc", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.09" }, { "name": "RT_CURSOR", "offset": "0x0003df7c", "size": "0x000007fc", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.05" }, { "name": "RT_MANIFEST", "offset": "0x0003e778", "size": "0x0000017a", "filetype": null, "language": null, "sublanguage": "SUBLANG_NEUTRAL", "entropy": "4.93" } ], "versioninfo": [], "imphash": "308fe2649c586660c71bc787d65e54fd", "timestamp": "2013-11-25 10:32:03", "icon": null, "icon_hash": null, "icon_fuzzy": null, "icon_dhash": null, "imported_dll_count": 3 }, "data": null, "strings": [ " !\"#$%&'()*+,-./0123456789:;<", "PathMakeSystemFolderA", "l&#l&#T", "2\"2>2i2n2|2", "CT,d{", "", "EnumClipboardFormats", "OIUigAQfhF7ryLy4FbZ/eYt2KZ[bzlgQtMxNbm6JeIQhbCykvwfAMt2ZoJh4sI{j,zu9b+J", "FreeLibrary", "KatsDoreOmerBetsKoraKeef", "tl&#l&#l&#l&#l&#", "<0", "060P0V0", "6&6+6J6O6W6q6", "u|-gzJ", "SHLWAPI.PathMakePrettyA", "GetConsoleAliasExesLengthW", "j %dT", "O", "373=3E3]3", "RemsSlaySoreAnoaaxalbuffusesemeuMapsyogaHangLoud", "6+6<6A6R6e6k6y6", "LocalFree", "60666P6X6s6", "GetProcessDefaultLayout", "KineChamLows", "Y[^_#", "l&#l&#l&#l&#tU", "576=6Y6_6u6", "Q-m$~hP", "-oM@)>/>F>K>Q>]>b>i>r>", "4:5?5G5M5i5", "kqKDSPX2HCYOP/CYRnffTI[QZT{BN8Tafn,Jg2Ko[0X+i1oOknPp4ubEZniy2Q:OfQpxex4frsHQLes46ehHemEMxU9LPw{6VUKMC06pOw6cLW395ZdQdqxqDI6UQu7W4nZ8j4QcVpklvHOd1HYcnaLlnEJ6Db,iVM8q6NT/2aIF[3OE0jBkgG2gh8YS3bzV9qu8DxH0lr7sY3TTgB[ctMHvH1MQEy8u2ZcgkH0uRx69X/C/IRgdL6Ew1IzjTRC82SwqQyYIFBrrnOOdUDCIehsy1EEP4IUno+LRquPKTNbnNG1NBNFJdPp37bJIifi5gh3xD4LWS3NkcphFFEfE:WVB5IlKCYM4B5lcF5vp1bsLqwr7sunQhbxrNyCZb2PX5eC4Fv,dQcLA2E8e8ucBcs93jWXU4Egt1cfTdCihG9CMnrULbMe0BQC4sWWLB3{xSadTj4l7skDZGnVFKlZb5K0WmMuicIGg3Kb8ug7sHyly5oECX8pm7SMrKr3ulYnV0D0ZiKSmiyh8,Y5ivbkbUCS7oIGXpASyp6QTNEtaMAgeZfIKd6xgHBPJHOEbbm7B8zsKj/IpINuDIc[N0GdfKUNegKEMmxhoW1PZoHB3teDi1AI6Fy4oz2cuG7[pCckxl9LijVfFR4tZnDp6eY{U8hKUw3SYSP[BcrqlzM9X:vOvI7JnT0l48KgYNdTQUYrcO9QcVy4dMzYOPGNvB5J0S2p07R4QgjVF1piuuW1ClEM9tiyjxwgDwZGgm1,cxwi8R6u4OFKspHrDrRG2Ps{CrRtTx+RmupFRRQcjuIpU,ZcQ3STLJBMlJZ8J4GtXMqhFjhE3yO0mcTf2jHGiD+0woB3yjcBRhanDNH,ST7Wdy6YlBkQ0{wYbJm7xxX76zqXs8qBM8vJO6C:rkpgl1vzoyZe/Jh0ipPDFfAoeZZSa5VHbRobtHs,6K72MSKyVqI9YinH1GAhFlI82Ico/j7,wVN21Vx2dKeD49qxZBJJ6Cfxg:Y{VF1INOPKX[yxr,No3sKhZ0QEKrMt7rm9idnqXIQXTsve1mnmlXkobM5yeSVtdfkKm2fyDR68jLvKTrcJVvwkZG25GFj8CjLmbyWeQXGyD,ZmKRY27BKb5qMnSowu6Tcvqb59SefIi[qjvRFuc{F:TR0Qbh/sEloLg0K3LI3IJdqmq5Sg6JdYysBy8mxp0XMoGpt858hfK6HIKM4,g54vjOTZtBlKDeyypFb4msYWVH2nB39eGuCE3o7V1rcwtcvgbyfUGHkY4n1c8HybiRO6mZ9DqqTnm76saX6lBh1NTFXX2q2dxKPfsgD9PePDzr6gJ{3L5kRulll8ihhkWdX1GVGf2DwjDkMm/:FnHYCkCNuWBflvNkN6TpzWn4rTvOomgtc5jqeV9I7LTyhhO[PkgdT4m8Ct2gBwL4x0Vpc7yKnjkwyZ8oheC8pPQmymMCzwJnh[zrteTQD5SIYuCcVqgCUBm4WQp2bwuc/PBTFqSdTViBjtB0hqS{ylUimqFDfP14roZxKsc8a90XrfnH6lEkaVwrDxZvnF+JXtO1U3S06OSfkkau2H/hovFNhI77E5EkrLm12OuVHCuZE:+eSTiWQOuhuGaTZxIJg0Jo6Mr7+LU2WymW5S0xYINVMGj2H9kMXGmIWMM9ArA4Lp6C1wIHEpsz+QwXe,TkgFaDhRpCbgGJvXFFG:+kdEUU648q1mXOm[oHbLoQs:uNcI3GOXaDzJbvHu2x3UKv6LzpbcgUZug2GePx43ysTKOB7yN9s3yFk4FBLyHWi6jFgDXG7e4y3l9sVDNMDDITXt28owJ52uA6k[jBFqfUXCei66eiGGn4aPBoVE1DOgOyKtmJd0VkMce72O1pwia8j:DBXB3FKiw[2M4i6fsmZpojJgpnpb1T3BMBbIt8afHyWjUUbHHHvCUNkhY1KdrvvR2[yPtpAiTTu:A:71DlpCK2RU85Lplihbk2+V46nTu1YdoVWBue7DWNFbFCvQRzQM4pArJfeKrEl72FD8UZthdCLZyocc+RXxznfyYZC[+gU8WpMi6BRhoPENkOteKiLSdyT82EIshMkxm9fXqefyUShi48B{bzHjWRYYAHtoo9/ptDFqjFe9R8IXsl0[MKcuSmmfaD9{qyYL2NGPArW6ROUEWYjTSyZ8DkI07LSLuBuKPuWlAFK:qvq{kVcTjxIrJEamBw9hNRN:J4HNRiUEDPuCjVk9a1ExTEv:7KnQsDi,GpL06x17Vfm6Vvdo3wKTDp7CJYzstnSz3Y92RyrumTQ2SYthxdJIEqbGTOSL2,q27rt4D1qEHJAHT0OEwnxfoRKp3VtmMB9zjkcL3[SQI5e0ebyfFLHFReZuC6uzJ0rGD:s{MWcyaPSQ50hr0GI:/7x2DQMnVwGc3SQ[yphbdLwXwc67JJJPY0aPR[7emXJ4HL7pjKUdbzeU/1Q3fD4yywB2eICf2G9bKgIXQTudFDAL97wXbU7E3hAXsMx9pYM5I2SzEvp3ZPCMbeOHSKLPu3Epl,GvOkItEIUbNPGqNq6Kl8/c2boQ93JqVhXvEbRgEQqhK9qopVmtah2DTSVPVt+tMTH4bvqeWtWXdeuwZwA,79t7/9ZICyTsm71k9FZrLZV4grERBIvzkPZnkmCrsy1iVrq4rPfCl73xhUBOrFL9RjjwkxInKdscaxlmP2CbCsbu5Wp:ah7Pz1ec8Tr1CZGYwibopllESc8KX81Q7FOisdu,oh1GT,9G2edzjQzud5fZWvxmBtIcXhXZvb7sa,HQF1D2m17JPQazR,ek+cJm3c5rXmLr0dAyl3CW7{I62JzhNJc:XTippkLFpBLZnwSPxmIT3im50LePhQntrz7Z3lE6UO2o3C1BTrAWQHuclxr:FoYKdWKFj7HsHXAozwirJ7LfpCpl5{cWRRdYMZT9cwCvVFyYe{VYdEJDPGJ7/uZ[aSPPWcGRJYtbYehHXljHbkt5sSJo7{j1W,pYHkKwUrK8helMCRnbG1ZP26X2ZccEdzIQ5M0M6eEVvWrIwpZu96OpG0qyZpuVJLZoMpbECIupN6Kvmv6VU1n1PRsH77S{3OdLMtlxtQecn,i[eOZVUN2vsdF8esNlIgKfewaiG8yVFcXej0sObUXQg6gYb3jrKx/gytE{c3DLEsdrkPpKv2Ybl5p5DVZPuGhI8lTZ0ZmdWqQDr1zwWbsXLY4TH0RnEhmwM7RmHMNGC5+DZNrtcQFORfp1Yj/{Xsw0n5aCTY7SYc6QXyAUU8NFZ02,Ul8LKSSR0kJEkQa:cPYJKi16SSYqykaH/d18Uu+OHlD38znnlmp[mD319l4dh:r0Q2Cn35lx6HpOobZl8RQYpjLgtCtUX5oqw[4emwH4+,XmKNahaLjPh:1QEC5Yh7Xf68S2ONu7p5HezHJjH[Zh2FrPsp0yGHVBb80{bXZBAHD{3rbQC8jyhFJMmJIe4hbCdLWi8yX[xPUU6zpfNyr4LilE4nIcx7D[ZQgNRPMXHikvEBMRlTqGzR9GSjfBxpM6k2J3AzyMR8CX3eCSyiIq5Sidn4ODs,/gUnB,3rP0p1V,pwbygkdnXGHuw,YsL2TLsZ9r7dqoT8NhCuWwv[r[DZgzDde78cNmfYc[XUaWpyExAQDbjzV8NPEZNWoF2ysYDQV,Dxt97JgVB7SSpu5zr,43oFnFpmqej3/4Dn7[HdLcuPf9XE/,tSmzAFpppDxcWyJ1SuAbjXBFN{od+jIlgtsvN:VuNBT,GB0qZ0W6AFT3mvAJj5QtF[D{kBFDkFwCSlZ48LQwHf9ZZGgxjEz9EDo80wWcX8otM8jp94UXEGu0nIgoDFZJEhuF6nTsqIvKKYfBFscez,yRGXmG4vT:WDuDWE2GvLbwyUHBN3egGVrq9jDIEIhvTXWV8NfWff7OJ3dCzoauFDwfbZlNY1eGW7B7UGl3M6sgrzI7brSmyC2sACqfZBP1LBr50kSFMvVUITV{3ntJu0MFDcE{4[8[4qEHyGUSK8CUayNPc5k1wgEoS8zQwzF7MVJQm5WhWYAGnuLxY505Xhf7cl2XRdEuQxC9JXnFMWxNAttsBfF2vcd0CfUrX7ye9BfBS9FGJHcMc[bgCb7ZxYogBhMjNf46v8cjRWTI0ZJ4VFOiDZFjt6YSA93lvjDNXdXsbqHihBSvrnAbvDjd53IzSUaeEIlpKl2Mp2OU1:cYcf6,C8hlQiBGrCe5pGL2pdouhJOXrPhtIoPyBcG:QXL0cD2[ZmKsOheXaZ5TDhsmKc1nIRpMfRyxxw4uHbEhxP00X6bm9RQzoRUfHlru6FwStqa02[wig[FQRSPwUzU6SHNXuGW7sSgx1gCS1wSwg68Ww7Xvdyau9npvuwUuZuf{FfCnuTh[2{XvLCIXZ5FJ4InEVvKWPL4HSsgG9M+PjFuDasvEh0Sii{VW/Z6sIr5XtozGpY+MW5y1RbRPneswEgGXkxQyVfheZlDxr3glZVBe4Of5jcS,6p9e+nlr8lHQ2sHnGVYES{oM6mfl360b05sc2vPTmhhlst8qrNez2TAqS[u,v6Dmok9NK8NiPLrep[K0tzND1wtxUHBKRQK[VVT{4Bml9qiJCBAy8Ll17:LQ0[4ueZh4yVcUq{9ctgXRaJoxInC8O0odBh2z/TegPRF2mEXOdhs0jZfEHS04/lijHBePYvokpvK6hYsQzu1jMV0[9eTKMXmIJVlo/nnoceQQ0TdzEP5fANdDJ6OgrzYlr07hU,nboZi7CusEIE1NV5Bsaxnv5yb:FZkFDSaEE6RTf{69EgCrczisHHPFNW/kQXFnqGI7UEYfyrL3g1Mo+V0qwekkzWir1UrmG:rY9udNfh2zFpgVadwJ21mVMqUQpwkeD:kSpj5DD,BSTO/ohipj+FnF6kB54[gEpXijykvcK6d238vu2HeNL6f7oltyIUOV9iXSHYv8ybphf{+:1[OdCFcQ3[UwRc/,E[DOuYZfsY4nSXiykFXSFiLTDxrlTLUBYtsI5Mo5v,181ENMS88IRQKbNIsDYfyWNjwnAOmF+4Rdg3EGy8GPTKu8dU8vnSuS7GTP9MNrF[I7Mug1m4EI0Si[zhZKM[1lnJZ1chqMGPdeE46ZW7xHpOKLQ28b65SPMu3qj7Tkn:T0F3oiEJSOGZcc3kSG/z7rmep9AO8ZNgoMcLaY1exPg[GF9w8DF3EMfi0T+jljVcyljVXjt7JK2X6PUjNnkD0Y6X8[QDjwy3bYQZ2N7P5ZwVblUdev/06,NVDMlm4ntlwIF4w4ib7V8wimwDv5DT/q1zWGOeM:/1W5qN1ivH6ZjfNovVGmRcd7/VBoT7Z0tjClVXRzADO2bN7Kz7hgnKQyz,OenOQxT7p9GUIusR4rH{tz8jD7K68,E:7{rjefR[dRx3DqUCcx0hHrDg/GP1de+z+DQCa,NT7mYkZKgfFff[aG7p4N1Kxh8HgyQS5hKSz,ngQ1BpwFKx9tGc855z8ItHq9Hpa,zJaRqDKhqpuwnD5pzJ1:SwkgeHAqEJG0Orj8hdDP6,n,rvp0zSfGPZ7xoIV0NEft60vuZwhecU/nV7G4aWXy/,vUv2Lr0qH9QZ0kZrH4aut{WgmFvHkOc7vqONEsGZ+ON3WfI:50x{Fj79/4DPijsdp[+IT:lzHDR0WtLvFzh7nJw8OEyXImgK65bvMIq8pGgwYSbiSi93xIvtKzGEtQBjXX38+{olzv5qUZUTq44oGjgEaDkD5mUdfzlWvtvzu0dzx,6enWEey3h,T8KoERIp4Rgqqw6VSJGTNSnY3RyIk{VIO7sDYnL3Lwmp6VIDpCmEI:nCLHYDaJ8vQipf/zvBXu0yMztU7s6elN/8T{0:RtElJXo,6kih5Zl6+Ma,5zNMLuf5D3+HOb5gGJ2V4cY7dtdGXruYm62N5shnASydkS3jaJB33lh,gfRZaXNilBtWTNAjDRJ,ZFxbMf0bxbE3SN131Y+U5xw:ncIb6QQ5MUtMJNdhO2wzrXEudvfqYbzg2Nh1CO5,4[uJ6dBcqvBtTFq7A,O5MbyjYFne9sCcUMgZXRl,F3auLMUXLksM5mlHRXjmiwBcYjCs6qV4MB+pbk4zvFY[hdpGeD1xmnETTyGmIn+NF3mQRrZDEfEVOKfyg:x:zOoOjQLP4VrF76g2Q3wfLPBNHGsJAiO42J8uok7LrWdTB48Q/:BryYCYKKXyToDYHm/7VYQ:reEiHX02g0MURpxvxYsWHuAeQCrSmelyTronEzg[/Rx2G8cWKu/,BVQNGD6yj46xw9MeyRcJ7kVIhhx2AFN4dRVnXVTCT[qLcB9wwe0uB5fvKy7Xl1kq/FOTrTpnYVkIjbtubdqfWjvMU[RmcSeCENUFNrw5SngftWCPRiF0PG1t2qQgf50kJuOuoJCftTj2fW2IgPIDf8tSDXjWLBRywD2[MHGP9MW6zY7ISd3ioRUGuRYLSJLTW{WLkQwdKgbwh0W,58bfX6a[6pDjeEXec4oBR,hjb2WmZH8,hS2oqSpoU2jWlNzEoC25SFPWDPEn5RUS2X4k+56mPpSmqoFSJe2cV0uOG06kHYLEAFSjzR9N+Qfc+zEDiKgrMu8tS8lmJhFys1DKAf2Dsfl5tjvUWOtrGwIEZ:lUSSqexeIBuiVmFzYm1yaiIfxdGOkXcWmURgNCGBK5nKVshwup0hIpTDNLoVTdkbHJu2ZSYE6Qae1[E{q[asVH3q7yYBlUSFB5uX", "464J4S4Y4u4", "8+838;8P8v8", "VeerCrawFlateel", "SHLWAPI.PathAddExtensionA", ">'>0>7><>U>[>a>j>v>|>", "Bl&#l&#|7Yl&#l&#l&#l&#l&#l&#", "s!~3w", "MaarSectFiscNextMattbamsErasnimstoeaBadshon", "DragRoutflusCrowPeatmownNewsyaksSerfmare", ".pdata", "D$(MM", "USER32.GetShellWindow", ":I:f:y:", "KTH3w", "?$?*?\\?b?j?", "?StawpelfOdasbachSlitfogywipeIniaMeedfoh@@YGGACUtagBITMAP@@PCUtagRECT@@UDelsYagiNessBrisganaa@@PCIACKUtagLOGFONTA@@ACH@Z", "ShowCaret", "CedeSalsshulLimyThroliraValeDonabox", "(Ml&#l&#l&#l&#", "DungBadebankBangGelthoboCocaBozotsksWheyVaryShoghoseNipsCadisi", "USER32.EndPaint", ";-;3;N;};", "ExitRollWoodGumsgamaSloerevsWussletssinkYearZitiryesHypout", "53^KRQP", "s11/4Q9NVNPk:doX8Tmabeqo[RBNk/:k1BoonIkY[KytUYGcZSH2XHCJSd4JWSXFK15pXRbhg", "KERNEL32.GetStartupInfoW", "BemaCadsPodsWavyCedeRadsbrioOustPerefenom", "AsksmaceaglyBubuPulsKaifTeasMistPeelGhisPrimChaoLyreroeno", "PathIsSameRootA", "7<8B8K8S8c8w8", "SHLWAPI.dll", "?1?7?=?F?`?i?", "=-=h=x=", "SHLWAPI.PathRemoveBlanksW", "l&#l&#l&#l", "l&#l&#l&#H", "HeapFree", "616U6s6", "9)9.9H9N9k9{9", "nl&#l&#l&#l&#l&#l&#", ";D;N;_;k;y;", "PathRenameExtensionA", "=/=4=f=l=t=", "9:9J9P9i9o9{9", "3!3(313O3c3p3", "USER32.CreateCaret", "3K3f3", "BagsSpicDollBikeAzonPoopHamsPyasmap", "wf7vluR1AGgHV85[7,SQwhWiFb+hBUoix4P1HIV9yWx:pC3Bl8JZSupNvwCoiQQsa,Tjy0e2VIDqLgeGHiskhsRL0oJOLOVlbqaow", "Dy):-", "l&#l&#l&#l&#l&#l&#l&#l&#'", "U0\\0z0", "2^2g2s2", "?MayoapoddrekheftExedqueyAlkypap@@YGXACUFlatmisscolyHantOldyspy@@UDecoappsSarigatet@@ACUtagMSG@@ACJACEHD@Z", "PathIsRootW", "l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#", "tl&#l&#X", "USER32.GetPropW", "ejDmZKid5htD0UB[gZTHJVrLlTaTBBsBS18pEuDJBuMks{0H0zRNleRt2kh8S:QPqP/2v2JFYWjpubc,vQKhJvYCDZsyJKTWY,B6xyzRzzHY6Ezu44u6U6LOL[dhqVMnZBg5BBzRcUFjYozMs,mFEY1TcBcQhybOFxlh6oGChW4brQ8ek3d:3Bbpfi9y6YokW9OWFPrN9vi4WGbuORsU1owQcr39qxP:T2b:c7+hJCEhdVvCy202J78TXejqMwlIwD55RzX69O0boXG6uLpLRFFDmfZ,R5MSF4bsUtDL1phtzHmbgZQRAUOxEIF[fQLRcERmaH0NfcZZLnYKPHqNGkN:ZeK4dyxO/sBp9gatnSoHv,guiEumey9S/V1nodXNY2lMW4PP6OZC3NC3c:3MKZn,aMMZM8Nlc,JbI6FEOYdXubmnFPAIrYE06HhIRXskfB0Zncq4ER00+lIXRx2ereLffR+P5XLE9gbZyWUG0PBS2Hww+xa:l9S8T1rJAIkruZb[lcheL,D1lreksZncQbHzlb4mO7mEYcJyfGSi1IqwDijDPBLHTKKminl208rjFot76mkbQX4uLYAr3D2TytirCutj2SgCkhes+HSXAqz653/jjIf:Gw8vTKRtBK2NHqZswlyKCS+3sIljwEquEks[0gEBM9TOdumphQnrb:8ryevI39sm9kdzU6PUBpkzw1PrPPxcZ8KVgVkP9mY1DJLg/lvp1EStY6vXZUIvYinfzw5YJhaDY[JSTFpRK193S7nMOpd0D{9UOZWNNH1ccqiLFOHh2wZ27LEGGieW6TtGH:V941HwVN96Ou60xBn250bPtMwkt1lcelqKnoT5O12Unp9neSUEuMgJLttnuBbq1Jdb+lqtLB1g2NrsxqB,rKl574JiYvXKrqBv9becHGRCbd4Z+guJQbuXoG7thFajHoa4uZDpdJCF51AU4yFV/MZ5/,ezM64cKsi7YktRwkpx6RYuIMuQbeE8BiJdXp82AwoX261bboB,WhNGQXKYJirVuGEkVF4{dpl:Ojz[C9xcC[UtqHYdXvd936zuD5lz2Isz5pFOIx+Z6u4073v44{zPKBlzDhwcZ4YgEQOq5dzLNXu6uheHSq3Nw0r5SJnnQuwBgYulaIXhY{UOlxqT6bsB772mKW3hUS1qQi9fhjpX7MuCSMXKPpztjblS/oqgY0xMpHyKb,cewuf:B5Zgvkx:x[KRJBeyWk2kte6HWPdsbG4sVu5{qX29ab5z4Gy6hqxV66bJ4zJ9yUHmBdnNZJ8{6PInmGRrhXYSiKx0eMF{JG71nS2cb4LxLpLD25M6wKEbc4NcN{aSFOn7QDxJ+0R[Apy1zztoC8CFvt6FgMtLG[ljPdAcqToE4SPcekigFPGGRdZks70[0MOu0iH2b71RsoxJzhmpBHIB3zU{eCh8sUZIWpN7xMJhrXyyQ7aob4DlEFPmzTtV9J9z3LU4HES2dZ1V1wVnKUoUnvIPPr1,otGYhe51GNK82KscsWUBNE20u2SzXgB:aQL5iVR5NjctW92CKQvR+ptZlFbTkcAhy4vLXWgREE5:YgRQBi8,AZSIPIUsG6KzxzJzM8qpyBGzR3hX0iIupKzpOrayWhHew0qFMlfrmQAjCdngB4AkSkt,nsk4+MVmHig0TPh4F:CBCqNLMvVPIfobOzt7l,jsOoScDY0VSWJBE,Q7QE+QNobhtfsO9rDwKsbSJqDk1OAutmWWgl6scz6K+sEc4y2JTVGPWXRiXEtcPBLUwJH9mLOZgyu7iro,8QCpiDNlV79mLCP7LfikP7aXOt58NyId30aVFl01JS4Ct0sxfkgBo{si3VE{EIpQlLBEw5q8DjypdQOOe2zULvRiadkSfJGMWzzX7QRD4b+JXH6xlFgQrxw0y0jpE,q1/jUqW8gclSZog:AgZciRHleK1Bo2m0wQDdJroEZdrvoeifQohQfKTso66XAhtZw04WuR9eVB60HDWianuYlopqavjsoSOLVnSyJkr0AJaWWduMyCDgrJeQX2srnbnFgpaEiBeJh6rKvKhFq69S1dXFu[dds2T0ZndKGLp2jO6Dyc6ZE6LgZvW2MU7lWKddDxZjIWwxvbzjloxZ8oEWd3bYbmLsu[r{wo593br2OMCTQMWWqjSYtUE4XPLs2U6leOURT3rYyTArgvovoCdDZhI8T1cSWWmDi7N7XQGV2Q3L5FzQqBR70h9zdUxLyDURRQVegDZkRyb7ps2NWcic6WGT2UX0cnQk7FhvzpVUD9h3UYLJlclyPmSEs{gmgrA{Do7Q/0DJ2:+{JD0ZcR6l0pUf7vstzrUChJTy/TjmGkfWvhpiU6ej8,x5UBD49pkQ7zCH7S2RumcpU3zqb5itnmm6gVyr/0wOqplKy9JdR9JwfIBSfnI{TIK7f17oX5aQyk52csLlY37dNC+IUipZ1SQUvziUE5P3mkrwtzN1ErcSziT,upJCC6d5XPmX8qd[+vixBjTvKPRWRhIuSg+3/xUMS[Uim7qwZlWHmN7mQQyD4wHjl4xWFilQtz+dKR9sW1Mc8eZ4WZmyfBYMYekxg:+YMssfpqNP97sSIKVwrcSZWOVwCdDXaXF07pOv8MMHGGT30ZsTl0h4PcrEf7G4IWJWrZ4Q+v3gn8LOgIO{Q{/[C4FZbwGlQIcsoimeU01D5tdmLc9ypHSPyLKfMiNCmltWX91eoUWefhMwdCOgCTNZg5ekRPeeHf0Wb:CI45CbFxdo4xrvvtu2Kz6Vx9jW9:N7MBZfq5tNtBLsD8T6QOvSrCYS9OrSyisHS9qR705h2LZ8KdHMYbjh/v/QId8vUVfNpYC9htOnHfT:X:SLigHlDSh7swysIqEG7Is0avrfD:/kUiQT1eo9HRPev9Z6pyBbM6ysSUsozGhvhC9PnOm[BNFu+QmsUzQ{EsCbK58fx:M{mXSX2UwbrhV71dLPSpW[mp94RzH2P80:UY22ew2f1fS0+:kFl:WoqsLdapRJ7vSFqCXTs35nheCLDUJeoPjvsos9xvVVe6i:q{bqr:pVHyBPMCLPoNWD5kZpvJmwlyWkPoD{vVVnqYvVHnFtHzdB49QvtPY,p76o6,K41o35BWx9Hqn:KNYQ/Z+Ip[qkE5AlbW32SJZEf57y/REc57MkhIb0PmCYilXUQzZqp[hZA1KjK:pdsN+8GrlZdZk:R8VQa0+XF5psH3AmappjMTwnAOGLQoGBmfpYPLDPeQ6NDuD7o3+hlLORVee3WFBtd090J5Z4UsM8zoxf7EaJ9Y92Iz08qI3Qx,GQBLyzqsWPKcxpp2SpUMYizJU:GKg8ojRVaifBl0f:IOhMPN6srIvdZzzkFnHTXOgu4JoCBdQ9zYEW4h8iLuertHkdyWltkMk:dsWtnK8c4for9fFxvwokJrRUbnNGc4HLGMedbGhDiwMhZSKLjsIB1pLPG8YjRseXfxSCPJvqv7v,WMNBmHeu28Wv6CfU+xhF/0KMbVAfvdRuSqV5l9HFpcf4yJvWm0MsSyFXCHawMgpjRpsyMRR0XlB6EJDJ2ipvpYVxcsFglQIqwMwMNwiW9yFcstg8k:iG6t05IhzF1o/I13vFmvk4/DDEl[cKxj2hZ{9lz1qB8FxPuPW{c{3P/,zO+Pk:TzIjjQI8AIT:pfGeMWGOqKAG+BDi3j1FPxQEiH4Br3jdKFA:hGjUL3FFosMliV6FwGrwBNzt1EY8UqGZVdc5oh9CmI6b9mSf4YR[aXHBsYiwcknG5Dzp2{Xl7cOFx4O1ukHh8EtLdkGXNBy0S9zMxH+HJikz8[yfguI6K17LmMNSSNXkkRsoDiMFj:K[FglqE9VQ1W/pdoV7YOMkJve7+KrcZQ4lOFPOuFM,SnlJA2MyG34SxgCn4eHxvGbX1iRTmISceXqhh7WbJsFwCTWYL{3G6jP75knyH:SuUeX4CkCD9bxY5lCW4xl6RPbhkdDkMQ0MyEAVJNQH8Dcx3KOYg:NHo{znsseOGUMj2:B4NV0ebZtlp{Q[8dADYMvKay+OEdd1simBwKjGJ4og57qRNqcv5JtSzlH[B1Wj6Z0X+ynkN,mV2s3,NMI1eIqK1Jt0cz8wC2QcoFfgZkVT7xvyznHCHx7bmgk0x4pqDZvTWdkIX6DE8swzA[riWYzhXpEd5UiSs{1kxVmkj4HEYCM,USsJAR1hKuZwrOpjZhzWldGzFf4uPfFIuck6a6rpR[I,YFe2gTA8BinRF7jxLyznK{6gc9pg7S5DJSVJ6J6cHpQ7/KfBZEy3d[jXU8p6mDUJQhJ9KXYKPFz2FVqOxS7qsTOZUUXfRNV4fratjp3s2xxh9IWs1beg6HL0D[vxpUAxzrEjbjz34f5KdDqX8wQgVWyOU7XLKLHro[+1l95ttljHerATVzUSNNYcp600g0XLgFLmzzv32XMJInmUd999dyFl2wnR/4TTGrul0wSU4MDfehvwhqE2qilFSyNb26t,k2TzwP04Ozx7CQ7QgqC2d[V7EJ44FFge5RZ5G2ubR5yLDBHsKpVuswTl4KXnFmfUKxUzYDzHs1JKz6Ops4X3V,4cstOukMfjcPctQ6Q09[KTXHD37vBsquHQt2t[kT5L6WiEnR+GzFynN{7ZqEO3WEtKFRbu4sTnAhZiX3rxg96ROCzKaGYYtEexTWuntWv[4y9DJwwnhyhPTZd1O:cKMz0[vdVcoxzIqb8KbdE4sKIuAovLzjaQ7biFrFG7Y3BZGkTKE5NVk5395YjtdGQ1MQDxffXJPn8fWMeyvJU:GDet3pBfkQXQVj4tC[mimY3ZMr6ZZ,SuOgzJ6vgnz7anKupdcoG4ZZKu1CiHAsnppr/qYgtDMbkHzxp{BnJ9PrYnsB5{19XvkhGYawZwlogESKcMAhqBZGuNQwJylnoFh2AhBquwzOrC94vsHOAE6qNMQTltiBT2q3C[t9oiRnvZm2MkoYHt6bBV8uJ7FTL3XMWoDqr:+k+d1mo6dot[U[9RrUdJ39b,PidP+pKbByw[4Y+kPwks4VDEZ1o,0TJPjiZ,iBxN38D{P4kjR6OgJp7MdgGWzs44ii1,1[V4Xd4ETvAH3MXg/:JVh:UG+W7xvDLTA23oNz74Y44hIliGuBophiKRrGhLI5/ijKivJ:dknV+Xk0fBEo8gZdYWFEzjiqTWeCVOW[T461S1AxmxPZpfHd5WEWq{xc6cfK6RxZZEOMtrZ1xqZHIZGvaFdH7SFqU6G9E9wCfeor2ZWpIWFj31DLSv9xc9+ceO4YkPsdvcRL6smkgomkGEOR8wNtbQA1TLbyGFP:VkbtTQI[tJlgF7h{ISLUriGs8DExcRVrzP9qD9X2ZVklRNx4lkC1xlOdKpA6Tb7qZXDDwvebJqblVTxeabJXu5e9I7RV3Dge+iBnV2qwnShZbVYltn6ni,7fjDhYbDKRaBWwh[ZRq:1ja9xbOXhHb4FZzPQeLiPct:ExmL9xf0/ms1ht54afeOgE6Ppjx0NDbvzNGtmFDnW9Ob5DjSOkkI7whzyGZ9h[iTa2nFU[g,8Zyy/ErWW5bPQ0VJbTzb0PZ,43bvgHez89Nrz2QnYXRcTe0FKOaTsJN{fffkchxo/Nq[pKQNbHSgTintdwVLDJ6NUBlgNEIFnZ7nYWr,1O0J+6ej29kMSdHurNxOHbGS3mPZCcs88sOZQkRtNk25LDzdJU4jNlnQ7,18yj2ysHEtmJvTq6u:i7ItLZ7J1LkDewrbqwRfpRO8Kp+lCx0SxCjrHgh6nmj2lTm6Kdq[PSFjck1TzKJ:A5C,0eZiXUnl2pW[SYVx8FYw2S7FS0HiwOqqUlR4/cCfOiAxATI9P7QXbFfSjh2jZ4c{CB7,OuKfhnk80WSsXvJWIENSFJ3bcL9DsbIXk[Fo0L7DOH8rEDe2LMO:I47mLhx42inD/Yn7D{oKs7itGQJbQInlT4lYHMKGP3q3Yd1hS7CEtfx{8{ihhxCSDOf8TT+lnpnMj9CyL1sexXRl9ik5TMjMw4njdRmXqMcBRejrpwfJxcnQSiod7hh2SOgeJrMkBeeUG8wBT{MRIId6TjbSRrptXnL1Q5Q4cXlZv{EW/8a[dvV6mr69pmhSBxB4t[axjH1m+97EVEUwBGsY+38u/zdbI,nbQCoM+Ro,b0U8yMa{RxTrag2WpFYX6nM[dC0yzJMOl53GhKf8CU8taqPWC2WSojBwvvY76OxKhWwt17kqlD3cyrI2m1YrZ522X[EkzCEFsUeKIneurV7EE{7UkBPNQLvUL8JhLzppwfeHQ,+j6PPm2ltlwu2I2LGY4Kl0K[heb9aeVlmlXJ4fsqBzY0WUFozy/Y5Yvx7VRCJQuKlIqrIe0Xx7Nl0eBXSxYNWwcv9wynZxJO8dDPs2WzLtC2wWs1D66WSphX1yrrH2Ksin6igkGFPHFNU5T[oRPCmNu07deVRvD8OQQyVvY6R{fWG9jwtZnZNwUOg1hxPrCfgJCGBjZBV4fyblJf4sWj8YuWY1S3ZuTXQrI{/zfdrnVsa6/NQsA6V1BO4Nfscl4GD:UMHjwXfEm9pXp4MHumZuj[pemR4iBHe6WEPO5Ir0D48P2pvPbq87Fz+t+9O,6pyJQyiChbHV5qtx5:aIm:eqSPkFiBse+JcThicsLEhkloERRl8D4VD6tSLPg,WcfS+hFj5rnBWjm0yOeTp8mNdtXzCEBDpnKEhj6d6YMCu0a8PgifAkjNzBk5qxbnh2U", "eK['}", "<;", "9%9A9`9", "USER32.GetClassInfoW", "l&#l&#l&#l&#l&#l&#l&#H", "3)3A3W3n3t3", "8/848`8p8v8", "PathIsRelativeA", "PathCombineW", "1(1k1", "0!060<0P0Z0`0l0", "50565M5R5^5n5t5", "IKe397ub8CXtoFKc4rpl7t{DViecb2T7YM1yKaiMRmyCfs8Q:m[+PtURL3Myem6ZTR6kTSYjeph4xg1wlgrno+H0p81Wmn78yBOY76uEWgJRfJUWBsYj9UhYSyka,41W8CSofjB0HDNNLwdiEN0BklZtcoFTYYjCFSHyieclSEgkzC1+C6Sc{pem:hl8,1yP0IMJIgia1BzEg1n5:rV2vYfNjGzs[BxL:3wrHQPtmmgoz9t/mHRZdX8cc16WDd[3:CcsEFmZwv71LcqyTk8rmGzNmUhu[03eEPy485:YTmp16TnvCHJ93thKYpwgvt:in4QmbAP6z90USTWwYQnKIHb8otPSRSRCWTxFx5UvVfq0sZ4N9CyngWotZeWbf50v1fF1iRbJ7hSN[VDa6Rv+nQ:BPwVO2MLAqX9qQS8h{FeUMeknwzwf6YsoTis85jlYoiE2u+Q43Q5Soq4vzF7XTAyumJsd09tYUlKE8RRCp0VfyYm/pE,JXvGcq2uEocMaie66IHGNPE4yfh5Vie0JjXXcPwg5mVN7Erbi7YjC9hKg,ZITUiLfcsDXF3{4{k4KXW9VReyRCZ2SZsxm78k3wYJFoWfa2CLyeO[WrjJLr14zUceGxae4XfO72XRPv3NOjfrtnSNh[IGoQdxe,q9EE5EgBWFysRG+xSMq69eReX9685oSlU4BI481iRXYCH8bQVgIezmoS8,5{vNBBtI8zvNSgFjJBmSfWeIAXXYDBCKGi5qKRGka6kMqhPGSjZU+T9lO4Mk52Axii1KD7kJptEX6riDpWmtYjFhlSsY9EUG9KttqJYNdvSFzc8MMuPzV{9DJcJswGNHJi960OJDijwywNfEiN3Bhwp1m0vxRvXfpsNHKLtboRnKmrxtsd1BRzAsBFjkQIehxBx1iqaEMdI1nmGRDPvjRhSdYdOrYfDg0TnchTuyA9KVdzbc19YJO{VomPpeHV6:D3M:ND6EBB7,ugdHDxMib[q5Vh/TYCTXxUhIw0LOApT{ZDAxiL11Y0gphGONRdo,M[WekRk8i{sBDXH2kQ6fnVL5m,Cr4Wkj3jrc0XYkibqHW8oOfLmYOHbxphce2ZZHHv2YuumTtP1HmTAo3k+V5twD3fpwShHQleZF55aY5VIjV41[4PEpkUaqdpnQ/D+VtuS1V45U4{4I5S6MJ1jJUhr1L8X80VrYHux6IoYHADiXUDj,zDR7Dw+ttNvswtpd2zW{cbU9OpccPQG[Z57eAzgytFfsi:fXpt8KTxcFEradfDxpbh5ypSbNM41S6kVNmgIUFvAvk:9ZJmwOoUTQPD6yy{utWk250QP3Ie2H/M5cICwq6P9MUzZBS7U7ZPlbY35KJ46xuQOTVcPCf{izp2GqmhkZsMJUSR2PuP7JzhyFWGViNqsiZyPbMtBU8bt3h9C32mm2xvIYNEpSqsbMDCvxYkpF1V4fl8op8VDLDPuXGHDekbOIjE18voWgItn7bErirQlrPsVKK5n[k8efHmtCqyCmGoR[0pmMNJMVCWmRhz+bdSWKzoPiWGUJx,Z29mMHnLem9P+xu:zRnHI[AnVbh4IbJ58[VHfxACTSphLsFTRUKf4cn1f[h3uL63htg:l6AT+wNTinpNmZnhP1ZPPnQ30iVx8Rn8/d54Ve/d/v7Xm30gGlQ15mSKeXH1JrSErsRJWnVZvdRmSY5KMLXw+HVBhOf,ZJRkecN41LslP:G5V0K8/{D7X3hJY9rVS4yVPpy[prft724,9Kq{jk8ey3nYTzqZjgW08NF5u477Xob2Pz8iGQ/olM3e8br62KTHdvRfyMjHPgWEFk/djjZ[Bbo7cpck4Zu57Y1FUCVYbcN0mijPrOjdihJtJVkJeXsP1RarEMconfSrfJCgWLOSUVZboc0sS0mnfqrdR2PdmtToT{xM/CTxPD8kxVgx6J4:NZOelgecBDT1PwJ7NTVPvd5nSPB:JZw2XSKWpfcvuCdCtn/[MXOLFDx{e80X76TGSCoCCtZ31q5lFPmVFbOZys/8WtT4gY7Qd1BWCF32zthtiFZJrYf0jXwhWwhYv,fooS5lxJYRM9/p9VP5KwoOPz3XsfIxkrH2I22ewkJv9YGzyHuM6vdJazvo7SHXEvq9UfWGd82beoSe0UVkjHW,nbGDCppWp5n4kXWTXvGIpkpR3rhnOvyvlWx1nJrJE7+cp0CJC3xTjq7v0JLD/4mzjSR7vxCvu1A8Es+9RxsNsOS08RPytM22VVAhUHRkVbmhApE8Pxy:f0dM5jPeL5osLf470NPxkO/b6OpkB{ZchvfyJR/ZD:E{ANaem73R+4KS2{0Nqr1jAb2:0B3IMzJmmhU{Fs0tZ7PPf[ZQpbCeH{AeIdcYnwixR8vDjoVOAZbNvJMRMBd9a4bu5lWfmbCevkK04Bp9HmfJRwsvWM/R8BzZ/dBLApgJ9mjp+[5ic2MyC7/7ylyhrp5LFreweHCy5515mc/lSZkggReiuUqsqvj3k:aVLytm1J+UhR16R81MGLdK87wLu7h2/MzgI{KKWMVvR5n5TjzvrMxd85KTJeSnqTqcC8RWgC94cb5miNLEvKK23JTcm6n3+{rZ2nzqR1qBaKDyGmi8/ZuNVUdIJ:B63vpBPZs,JojMOXYO5c8d+3b{U:ntYxn96hM8f3X[dd6ep5HbdI0[X3jJXkp:aQOfJTH0IUO:678,ypDiLqajD0rLXMUVp8jPIO+kxCOIgsg52vbXm0WSIkEuIOfUcujlpezUsQCZ/HHRV2v[pLIBE:/hWq58dW5MgLGj0n5osvkCPixs6LHvaxEWPVSE5vSubl0sD31ztyZJzjfXZ:K9INVEG{8jW7kUnlCgQNC2vZZHRsNqkPh,oECPAd8v2g3uK3X:uKFg1kdXzIL8lSBiHdjSf2jpQB+PAuCUbd3SnWiSC,BESeCgKl5iAGpR1FnyrIrLCJ0NaTtvpeXRtClEI8/Kii1Sb5XItsfGhjtYBfj[/XEdxJc,RJpFj:s:5WSBxcW7PdWJUvigQT8raY8zl2e7SkduNnzYGM0H8G64y{pDJq7WXh+i6i+hQpBjSOpFiZtQuPDJ2{zTX2d4yLbLQDJutDeXSb+Du6B7Bdlghc4zS[lB/isw0wotdLCVTvptYEtvBfTijdyp4MInHr1vG92hqTY5m8rZjmezLQFiWjE9x9AY4GG4sd/Dv385w:aT1tZEJohcYVbU6yGTC9FBud8Gb9HXUptGMslG5XZsCDUhG[c7vyHEy3pmoojRIZe8A9vLZr1CqqSTVOUKaPSJUGlmJrldRfqKZ58k3Q9MnPUVmluUGH+ul:61D1DvwQEUMe99qSmM90peB9sTIukVtTxW8PPk2ddVPfQRl7cnk4mKoDK:BejFqC0gXjpRNnaBb8TpARAEUtYgmP/2lKzx/0fLXNHejkqsPwv2pkbrYuSqAiIwftw9FNV{EVloR,qML59FpF319ogel[epH:k,Ak8J+gdLlFxQK1JPfUpQA6SLqCAfObCKzE215O57uzWPmsi80dO7S4+D72rzDFMy/DiOJNd3TWQpJn6hoRnMmFEtGkfCvQbNwQaJrvGO0cJ2wpP3ml3uE9J[DzzgFWAdPGZKIPje9hs1wMYfcBGzBuzOccpKamKJU1HWjfOi3Zz1ks4HCqBRwVWv/M3,zF+c2xrhsiLYzFs6FzkCMWYw8:Nh5ZBK3htI0ywH/{NgS{cpm2w57ZHDdO9h7GDF2u3ib:TxMDdisYdwi6mVp1iG9EamfsjOdyeiAqDEHRrj7bxuX3F8O2T:uLen5KvTHNhUKKv6UpU4k{6Ow40DVYGdLmuTNFn0DpYGppirV8lS/7R:NeWzjE549:hYYuT8YTC6pFaGjikuzB5eKiQGqNcWX64[IlffwGz7OZ3FS1IGxZR{W:OkAsVLMV+Q1qSw7mN1h1tzFwQCmLbROtvhAyGZccyisPF07jjwNsyk9YVrD2Z{xqtflkzVpiN6B5DidIst2ySUs4OjXIhZbZSx9fmWyyRm0QU69,31v0ARKTe8P9aLs,aQEIp6P6pYJyKj6wSdpRz,vwDqUOF8u7tJNvjEUUChvVVHD2m4FoAJEQ6RkrqnNtfh3c8csobmLgP7eEwGMkZ:UHuiMnLjVH2Zsnw861pmoInCyN23RU0lUQ1mvBHH3FcvcuZXywTikM/4deuta{zFavzSusDQ4rcCTHO{8pExQxkK3jKuRWzF+Imu614Frt2:okHmI2YEH8UOUgXX+mKFsiVgPgs2XyEZpIKu8iUCjjE3nB4plvgl5SU8xyt{o1nNpHjFCQWsETb5w3RBU83BgYQ3P1TzEc8CCCJejsIDv4puV0bji4WtR3nCXcI5Lq8bPjqpL4Q5479jBUjYTFlpS9yp4[r0EDTmcwIX0u2Irp+e8k60rg5q3pMCG2rUSxQRzgh2O37mkgESqTv3iI9Ww5VboBGl13aRHSq3UQFIQVJw0ilZThjVizeJSdGUa3+,afAI5:spw88rrNDuhyW[RXGwHhB8+YHfg1nMrBzW1l6olg3kctmvSt2Qr,W3lv7HxjAotDGzHPiTpE/eUTpeBbm{lXqhAieu4mosb,ZozJz0PKEpkDG[ijSibOIjTmVSKleZBsIK/M4QT:IzD0rRXiDmJ8RZe9q4LZd2izh3CcAFDMl7dKaBdXayzGwW0mb9V5/gV2vWNqN8qgSnAF6M1et55Ktn1mr77bxMggvGvmE5s:TWIiicNo7hCZ+Xcy8{T4DJBgBBDfT8rCZ{B6dXsnTVS8hrJDmgN1f04FNhuMU9cQnBesq41nqPsmvRf2Rw/7LTnYIdk4a9eNN,2JDzzgDY+tF375j2C9qxFnmMHXfuOTOWQhVgky+BqrxFKBZdKHxo00an0LCglcLjNrmTvgSGF8nh5jMxmqELwrUdGfSP/I9FPRfo1y9WB9unv2SoaQVhBRHLTyfw2q3hH1ukj5ScuFXZl,wWIud73I4sbycZJT5vJ6fsYoQ6YBXo4BrD1,s0m6xUiwTqF{LuXcg,ezHUF7L1tnyUMhy4DmWCXr84Vq/NqTc0gRdySK/G3xKKlRs,CUXqE9MIOPKcSqolbegfq1ebyJ8JzxbfOlZqADKicGOjEKBIxFH4Lvn,FCmtrGH2NDTrfoUHmGqZWNktJ9ZNs8XS7WRb6mIJOdpW0[M7MMpiv8j3S64:nNzgsUmXQVA5x{VKaNNMQti{XXCQnJjWaj1vW6A1rtwGn7d85e50RuxYHDuEYHHmKCESSQzgmZ1lDw2:W{+,LWstzO4mcmLNV5wyZ,mrHM9c5CH03hT6AbB339cuhIT1qQvOdP3v+:JfNhz986yOxggywkEMux110Ns4Xd2mFvDYx,2vbpG2YNGXTeTnb4ZHOycoXvg1SlcnWzYNCFQGwMBU6MO7doQI18Ov5WP0rNCzg1rCW,g4c:nvzFYZtg3DeBJxYiT[4,SJX:aYbpEy/{jmXZMzXPAOX3EGJSyGezGuCOjG2jn,6I+012U0kXf1zgbn2CA7kC1Id:R3rcmXNgx8xpXjwnMda{v4yi3{Epz3XpenY49ru:2rtbdPGNiQZSEwpTD8WM3Z3cO4+5jCAWn:YVhxWi2N3Kgo25fCK1bpQfdhtEICe9hSiZHU/rhRHkfoa9G{qvy:XcvN/hMgc8eGo1FvnN54lvzbLQLuH1d0n3Afvk8WJmJUAGYfa0mMwrDp7RPzp3qs3uCwVjvGvRWkgg+2D2El0TDyylHJH3Q,JeOficvS7FFNrkGCg6hrwv4:q5VXQ6n[lsV34hurig6QqypCt7k1hbOj4g9NVdvTe45xhImH6yZjJ498M{G9YcudJwJBJttqCtSESoDDsN2PnxlvA3+6vO0Wm7SRzjN3ON5U2J7p0OGldjHswEwTmF49l09VJ,7sEN/NAQtRjEQ:chggj,NeYBuBoImEOynZQZHR4pLXbQ4b+kIPIUKgGO2SrFSpuR2[c6oh+8v5hs2NjiJk7rR6dgN[5Jfup{3MSt96P,Q90YW4/X4cjiCZhkEyFW/Bj88,+33BJNsBW{6kCFL8lHnXgPR07[eCw0b9PjeyUP6IbYiqgorKNsEj9IEoJdWIPEddQQL639M749wVmUyx4Fm18{3SnQpvz5O9ZudpsOaE6OnecEDLbPUeYL+6FxynV1Bo1b1zwH6ebmKP6EGhzl0GzvefrOaXFgId6MohXyD3UPJPvmExbXXtJ[9juvrwiKAxKjtQdvz9igau287jQ9NkIX/RuHMfeqXQpvc5h,injza7k6KvQf8[Six:MGeNi6PVGxbu5hNFDvqlTudBw9Z9/30NtMJxOQspqPAWA9SzPZxzVO3b4E8B5U3rCDI:UWW4zDd233JOPRxwUyQJJf8z4lNjdOf6OcQ02Bg,TbSUkdlEz2HZSrN{1{1vLMhWK8HvdS1Dsy3hdqC5DRso4oTq1QHPi,2YAG+szb96q4Ew0HqDU:njSL+xaCzZEJxeDpHvN:kd64CD5[V6J6w1v14JvCB[s3r6Rnnwr{Wfyw0IFtd3DbfnpXi7kSWeFGSkpfbO9JYwf,how8kOYJq,lcTGpQX7LGIhT2jz4:ISo6GGeYbHzsz,ciVxE2mRg0RoCSgLv75OZ6/O+L60u7uqF1phwyqh6I6Z5G5rNu9U9onE7LzEX4AFkvs0BU+UAZEvDlbPq[w5QHJTlrgtVttNjV/63RVIVvfVKwC7I,EpNkYZnFUZULynaV", "WhopTestrangrapsdebsTzarNipaYins", "3(3/3G3e3j3s3", "; ;C;I;S;n;|;", "Rl&#{\"", "2Wl&#l&#", "USER32.SetDlgItemTextW", "KERNEL32.GetWindowsDirectoryA", "IzararfsFlamWostAirsconsMouefemelallPoretweeSacsOxidMinx", "DeleteMenu", "?HermArcoludeUmpsjiaoTareOhmsLimetumpdentdellAlifboosmy@@YGEACHUtagLOGFONTA@@PCU_SECURITY_ATTRIBUTES@@PCGUSagsduetLowechies@@PCUGrayEyneCombpupen@@I@Z", "S^_nC", ":+;0;^;e;w;|;", "<@->3>W>\\>", "989>9R9X9h9m9u9z9", "esQS}", "-TTUQ14DQixS8HLScboyKR8Srwoqg0KTMvK4QlGxNOKv9smBabFi0VbHx1An0NW0WeJXR58tp03Iecn0HyJ{/onz5mEf", "DeleteCriticalSection", "< <3A>N>X>h>t>z>", "SeminerdsoloseenYaginobox", "?AidsvowsBootFaysGiveCuesmadslallcarlwot@@YGXACMACUPelfOdasbachSlitfogymug@@UIniaAmiaMeedfohfe@@PCUDelsYagiNesskopen@@AC_W@Z", "DestroyCursor", "4#464=4D4J4P4U4[4w4|4", "CallWindowProcW", "sK:`'89", " UJ6tr3h3xivEkdVi0TmuHHem1qkyx7CwEX[0y+8xf9:BmIpvJAcGIH61{eX3,T1bq3woZlmjGOVN{ybD6BhZ3QWKETlKnL8dXcR", "5.XOSDzTseBTNoxKEl7XzQbM+2aTvU1HVMCJR3yrh3buCSr9Q,G4i1MYOQ+rjXunnGYVgdYF0", "fvifsB4KEyDcEPd9ma,mZmhSNAXYsZEbZZclOdUQCS6p8uEip/hwoawNRzsRy6G5JFIyRhp/pLoGOKTt68dv6HMz:ofAI7VI7o8lZxQpqKq51M3U,Nsk0Fy1rZVIdPKIu25gCfdzVklcVo8o1GT6OT[UGoDzjTS3IqiDv8eJ176nc3tEQFYitxhE2qqql3cCSazKyym+f0gnmwxTJ2:aCU5UFHrd7NLWhnsVgbP7iRdqoLN+pe2jkyy3nNDaV+ON9ObKOuj4TwytTs[jjYyecRirb/TDC5qvCez2xyPBIsUFgzW1f9S9Vyb7BF4oiwrfMM88FW8YVbin48SjwYmAr1M4HTgwZrXqVHDfHulFmG,r3CDn3JgzFMbAU6ml3JF/TM4E7g7HGtW+BJvZBUBwJ2zIRl,dsugzGLeL6C2Y0RxTZj0LkcP/Bvs4KIS8W21JIa,fnihCuO9yQIUNjNZi3L7GUu3j5Sbkn4{PLSE/IkgkoIZFhxVVEus3HtWhRoLmlLZCldWuElUtjhTgzXgXN0Yn3IHpfluSiK9/QtRk3Cjshn5vreG0X85+b+5dyuWeupzCZpEard2bjDnYpH:mgpgORSQaT2r0wrpI4LzVWSQM6fKE5Ci2X7QLqaERwckJmJlp{WkjyRUeG24VdP:jM/9rIg{9qq7gY584q08q1OpdBqwU5/NiJQSjwbj1:ORAGmVorjWeiBR/B7BdcLYR64bCHMWnmvd4VoK+vtTxdg[zI4No9O2hwq99[+kScqhBKbLZLyzUlrGBnvrVCu{ByKVgna398A5mNn6e7Zhp3BFYsXphtJ8xd+D/sFJhvwizqt38uxDLBI[FWL[f5cVbqbm2yQnc6MfunKENk6Y/EPcaD2iUU7QsYybkuujUl00mj+yQ7aODBdFDYsSVqWJ4[m2k7ZZx0WM6PzEP6T{GVBXdvJfkj6kuXhZUXObSY2tG,nQpPfbarmJg54GHURZ0{HlNcrqM6dMPFE5yIn3HKkfdfV:Y7bxMtMyltLzoY7btKnOBSGhMiz[5Q4W6Nl2e6NIF4hsmbs5xOx5tCZpkePXaxsJnJwUArhPtpO8i5tBm05gnsYZEt38yQxBgwM{2pNqmWiha8xl2QntnWfBz[BmOuGZsnXzRKwvpIhqkbur2tL1IcifFvhIssS7GOQeUHaCTy5mPeyzSCImLVVTx66mZW4{vXS,NUj{YvmNU,zU18ZBIYbPDDA,ICWvBBYlys5vynBhl5bD3mNzCvc4yS+ixqpjMP8QZMd3Gryd4BoNepnV6Fr1BsodWJ7BHJKpPMRukew07mqTkN3Hw23{bqdrbM7me4OZS4utDtZrrOltEV7vT:crPDW{7OS{sxG6fg76BKjtP{vJ2,690tN{fcmwheg[vXh:7zklB6h9fy+2DPUdPbPgegvCwlYtz7TUY1/ldIRsWKCEGWFmbbqZQ8AJSOAP83kR9sNxcZsXCQXRh8oFsWauRGKSxquq68I33UqGCvdIiMp728p42uT0l:pl8Zfw3h/bbzgDSGUvMUyDZ1EJD5PcOkxjYcmQLnum/WKU+CfTVcTyxdWQsBOCH2eNcHabllR{mygV2d+n+FHevuCEJwExUiW:wRqJud5V+glyx8zmsbErIQPoxDnSyZ+itE242eKnZ:ECdGQWrnpTlJLvz6kJuYu9608kyN7E/zDXcIxnHRh77Fq5iV6SJseUiKsKa7ClzDzj20nIkhydLwHMcmT8/bTcOyM[He9oWPrmOPv3HO6IzDC:HeLqhZhKBuWfd5XfH1NopJO,k9lg5LLVAGLQol5,ugJnRRsDQ:JpPSgvV:7DKjEbsXxNrf0x34Fyqb6BZ:LPcezN8EXtOUYqs1HEjZ3SV0EwCl+gb3sVQ3gyETZicLTOc40DqwW4bPD305qZ80RVZSdS7p/13GzMX3U1G4Oys4NMNGNV4xezZEF9SJD:kw8RShvskZOXRBp8i:kTa86fB4EsRhDel:Gwk{w58YaxNDuXpDfJM80GZO06Do0ZvP7RzxQgecZC3YXcn{b10BnqVD2:6zL[5F2qmTfs6BgkVEKxcjI{PkD[0w4eIJ1o/NseDSPJuLFJuJFI8Bo{zrun4IIX6qYgggbI5dO5Doh6gi3DC1sZQZT1HCY4w6xPXfwX5s9ZZxTeF7J4O[m:tMQ,nE8R3mE:E1aoRjT7DtwGDd43NCGX3dRuehuB7VVY865oepEKiwtDzq2{CJ+newaZ13P0Dlk089KWDRMgEUe02cpBN,9JMGbp7yCjhjhxHr8gQOBfF27rTibF+EgG3kN6vbHHZFsyl[nUYn0gieguZXVf88OYupjF2EVyr2wExUmSjxDG69dkr8tjV{Mi8YT0gMJrvHmSndGrcjHJAYpSG{4caUJj+xk6FboU9BCKwb+JgxZ4D25WU0FyPi56efY,dLNuKZXIrg/RMLGdErof4gn7qUMct,uLGlK09UtKQ2nNA5qU2B7JdnDbY1A63d/EGiXjliV:s0tUxGj1NkUvNe1s3ng,nBjpt1wnH[kSj7o:1h2zT:ifxLPz5eM8dF7GiLN4CXGqlh66v{VpXk6NQPQOfzOkrFx1Uz1rJeQ0mNeNm9VwAK0IPuxPoc3YeMRvlldcS2O{TKTPBLMdQvHYsW+3iFjv+6MJr7G2N88ZoBaK7IowIJGs9eqL18Qx4FRLMRzgkip1EcMDYzr9C2cnKwmJOWoOfWHhLb8CbpQBArCdpwsqELB3G9ZsapCmhsBSM77Zj2J7jOrOdBJr/:yGzs2YPsMlOEHxKCYXHmFVYYPHq0LTkyfrRY32iN3pNSAKsKi:ErOpftRHWU4WRUqHqJ25GKxTqEC7tOA3hSW7UEKwFe/MMtvtEV5n0xRVERoopn9ZI7gEf:1zizQU8fjYbhRN/k8MQhVGy4ygLCMNfBn8dMYZWp4lj1a0cVXCohlEXxRQZoDGBJz6Lr0kpVJpnXEQiIvP3LW3q[tcpp4SJrlkRY6B1VbmnSln1m0g4eXmCw332hceP1hLkQiu/8hcnJTslraRt0W,1YA8w1skwILpOgsducaeOGCc414wA8ur9Ke8Gs/SbDUWHNOZBdqg53d7lq6e9H4yZDxf2Dsus72w3,AnyiCsIteiq8cRExzsU66sDpgl2{+vsh18XF1jpeXrwUzGbRURY,6SZ9rTOo3CmMzFf7bjfTCYKOd5Rkoji56hUJjm+l1CCbXTSbLck3RRm7X8/TWrjI14u:jBmcOMAdtI4dloubuv5FM6GLQIRFk:GDdv02fQFzrlkLARpBK4/MP3AlhqO6xykcNLNHN[6psRbi+KZoGOApSJpjN:F0VVgJlziCLIIJNGx0u:YRPyUFXZ15eZA:3ejCP1o23[F1PxehhBCQymX2EyXlZ:h8c:M4E8kJydxlLYBE2hxjLsjr82eos0ez8zVzvqJVK7JxXROmtcZBw:oyFUvK3nv:g4IJXhn1X:KE8XEn1SJsfuWuBiZT6BrZVwJycYgiKV4kOzYpyRyG8omVY,p3v[DO722Fgq1gR5jomESLPBt{VBi5t80qdjqEs6SOkFqNKqEcAXHnxiCO0Xb:E34TzP0U6jiPXq9bT9I[OfgZZNcGU{kexsxLIimPTWkuVkV1d[HKiQg2w6jiHJ8U2KQzFRGC+5Yeg73yab07sjY,/YhoDQwbFZNESPE0WhqZGEuFQy2e3hLBq0dRdHIeNPFuuHypn,8Z1,cBAVUivk6LJ6tBDje4iqIY7L7eJRq{2U9mm,uYOEqnWs5w/niOPY7KGIYSlu2hcZ6povDFEhSneRD08WKcSR5VjkhClRHOTEzPzEv02TR:kpyGVKFvZrZ6RLXVm[mL4g39POqI7bZ3oM0OSCmCV3Ep+hHrNdTpuKs2a4kx0b3WusNnxrti3uD0vhrT874Uz3sbP46l/F35vqQ7npQfX:JJQNI3Ei8yRBseRNwq0vWHc18o9elWre/ojdYdksEOCzX{9fgkyuo9yXOX8GcEdkvqrR3EFPCBUVPzDnTgrZvm0{z1Q:Q[Z3rqNgLTQFsfzVHflqN22ErYqfsSYIhdxL7c00q[mHyiaCyf5UAEk4Si9gkCynSwnko4U2IY7oDo6nYLy[mZ8KZfpHbHOmZXvKdM3sqlJ{1zCTmKWEX3rY+r2li5XU4S8SFulmZ:Lwq4AkTCMHBoz32vzLj9AS4:7eWi7GYZi[rs8NQFa3oQYGvSZxobBfK5H,ir3EeXuZ6c2J+tewpmKdOEDdGzfwySSneUW[fQwSMMe13bA3xKE[wt5LPKVxsBsDwgibdtHmLB0TPHR5dspV/[HwdbG8bgjloJbJCodCJVWLuIlmqh3RQzR9D1a04mrbXCqxVLcx+5OFm2+pl62VmRld6i0PG3Cn5cb8DKzoGOF7ZlvYJFXlI,2Pr{7OUj7ixziNMeTXrkvGkMtISwSBzB13AYGyqsIuPIZbol6Sm{ezhHVOe29ZWLMEDBG2CjD,k3RhITWpycgGbMqLizsHjmbcUiNxPHKr69gm1mGRpZNCBQ9IpSibe0ctavCGB:1ZWr2kPqosf7ldj1TfIbzW14KiU4OHd2MLpC6eYc7lXzj18v353rM9b9G{gk6xLGAJf{NKYdTRLY9LeIslvOEgufPJDB3ExiHRUJ/3fgot855{W2vKAYWThc7OuBLueX3L8saRCVHujC7uWT+LtUaed3tV4nRJQ:ymUPZqi[rSyc9vwTMh5ftNDENDORI3rByN+RJBFZYi/bj9a,kpY4uMe2uJ7umh7PNPPE4My0Q63qr[jNNeQXa8Vwbg3GryA6cDoJBuL4iMmZw6jcQ6NI8VSOu2oltIKT0eBpBZgwc{aJmRr[Cyh:sWALIuSsDdHs8reKO039pux8gXa{zq2bpcbxR8bny9PZECNL679WeRHNGfgZoK0xgNb73qqESz8qqxrpJktyEpbj9K8kgX5BCQqQx4Qnn{fPyCrvvsW{v0aI65dOCgy{F,YJ2ec78{S9nKBCrIlfsERbQ9rhu2cCWuM2cDs{MTpFzGq[kI1tzb4J9UI60GwrLOhf5hE3lBK8ujGn2KTBI8sesh3w7QeO/z0sH:SEiYLReEz1CBVcvna4cs9wN9V37eBnDH6b000zPscduHhH0BMVCS6ZGbT{OWYZQdNTxZ03l:Mum[VWgFaoBHAJVG8CnrFkfoXkIip[lpIZfuYuCIifBKZl08y{CGZlmf5{UWrn3hLDaLzxNVuWlqLXDlTfw16sY,lM25C{2YCUVuKNFWei7LdLeIYqEu9GS6K6LxVbd5tTONO8fPZ5LR7qUdwfyoDOi9idjFajmG641XpVb3xgUeP06O7gpxe3wevrKZuY6Z31qH3LIhN0RGG[vrL3Y850m:WJ9KKT6e8G7WfQSDM1t6Ket9LgfOAM53WuiZC[KWlGIJBFkG5sGCOS0GaLroCdXN53DzXdQF2,/sD[3Do{Qq7H5Q4f3b/J8rhNMi4Uxi5M2CNyzPC:FLj23dwlMycPqm+0R4VwrGDbjlVN+nrX4V61V5L{0HcjXbvOJHTYWLnDJLdsIf+3Grqr69qjoy8wxkzJC4QkTB7tOTIrD0fPh3gwkmrEC5gwO:NTPR56riexzWMBC{xVuVtF/SpXA[vJaFjwppMIRl2nE5to4fuqC8PI6ukLzmt80nOhlBmNzNw2I4/GZbWVhBXmi:axyUyER2q6946dN10Zr:lp5KNbW4LBGyaq9bjLR6lnk2SOYkZJ5tSHkIzeHCA,W2EQL6uLYDxO7z2dTDaJrLW8FTyVvi7eWpl2ygtcJ5CNW2euHK18uRzuNi/91603+VbI30e1/DAYoGwQyLs:gc+lMeqiLZNIOMifHh4iUvsz+C6LaMsnit6ZSZz,akGsKdH,B7X2OpxCl4f2AJjnh{CBBg4kQ2sWPFWEW2NHL0ggvcXWmK+tXnDQNmkZPIQ:Vpgl/pdO/5Shi5kCTJh8f4vKJcHZloxCE:358DNqBjLXBmnbrN2fGeyZtBr08N2Qnj0P94kRzZs[s,Dh18+nJd/3AoVdBDSjVUXSQkv5rippZpRGgxLhVdO2wMmZEh9Hd62xW5oevIuSp,LcYp8J5Z7Dv62WIToNpVM9lgp:5eu[nNJ7LzClciC8/C9zVBEgyG0LLWtkSEonLfdZ9K+Y0U+YtXh[vLU1UsQcx4jjfZ3zH:ln4MHDZVRml,dtlttJYNh3QFRZIpY[XWrz8Rl2yh7JBCSGo3MTxmhPYtZbpifBfeucbb/kaRntjhL5sHRj1NQvoI15pZXTZYqMZsi25WiSl1n441SvRF3BlkL,qItkSsejsLds32xd9c+HXZB2Ytl9+kSZQfWdoeyDvOLrtw96M6L0vwHU5pEFYJDe/dwEAuZsKQMfd[+zsIuClMs7n2EsNdTnRbGjUP167EiyX:9uB,23eBc{9D1EduFCUISDZqx:r0DMlQ68SjWiDJo1zk+8W1rOe7t3X,Xso0w5dr3rOtEGAVPv0RyHXBYeWDkdkHnRgfYepMZgwMOsPzY3AQiTb5dGN9CIDFqKTRwEvH663rqHlz5Vq094Kyw40BTvXI69bFbWFo2qHii[iNAxFFkz4dXRfNul30Nx4flQu{KWsGXgEHHsUofHgsJDP35lAKWPQXkv8n310oOm4hsqWiiU20ll7{vRlUBVRKkEtpxpxiyn7[i:xjkDVWAk+19eROjtnXK:3Ouz+LFDLGqI2DHNw0uijL0K1mFJ4F", "SHLWAPI.PathIsLFNFileSpecA", "_(hRP", "ll&#l&#", "3B4Y4q4~4", "4%4G4L4X4j4p4", "KERNEL32.CreateFileA", "BardHolyawe", "D$4_^[", ":!:):8:K:k:q:", "< <9", "q=5Y=", "vl&#l&#l&#l&#l&#l&#l&#{", "9-:3:Q:V:", "l&#l&#l&#l&#.", "5!545L5`5q5v5", "?*???S?m?u?", ":?:E:K:a:f:x:", "GetScrollInfo", "GetOEMCP", "dCPvCAYtZamL8Ps1t6X/ySjv{b7CSrJQTWDFIjdVHi:ZId0jXvjMwh8LVTG+xSskvyVgO12dRzS21RDI1K", "IsBadReadPtr", "ChrCmpIW", "KERNEL32.FindFirstFileA", ">8>M>c>r>", "DyLoL", "5J5X5^5d5j5", "GetModuleHandleW", "USER32.GetKeyNameTextA", "<$9>W>]>i>o>~>", "0%070J0a0g0l0", "eawp}", "GetSystemDefaultUILanguage", ":3:I:Q:k:|:", "e_9g+cYbmY2Wr5yL/W+9f6jiMh1[Igj2xvY{r9skJVl25LJbjQVBmtPC8uV9SSX83Udh8JmEkUBZ0[aJkoBiPTLNbioJvDire:Mri9cGMxKhGKaClrYJwvQnJvfbojX5+lIjPTdNJBrQ7P+jvDwHMeTGJGQih:q3bMCJm7tdjq42H7TmA{l{HQp2Ti0TzDbjPb9KodEmWg7rhsc7nc18QUprYbDrvbsWRnZTqjFW1w0LFQJIGXnUvPd67SP:kjtvVXBfyz2uVlk[IdfnSO1uE[RbKUzsfRRWRqn[Q6rwl:0dgIvXMtmGEQTcdSJHKrpMy0S5iYgL3F97nDnlwNC5A:SiNYOmxCQux61r0wJfS3PP1GH8D9nEu9bzaxB9ddeWYP18Cw5V2E0RPdutPw3bQhevmrO9xSv{81r4NS4WnoMhquv2hBRMUmWGG0s6uPdD8RrRzR300nK4Du5Mdv/5rg2OI1m,tUc8THKBD4c3J5GX6NCQ6dehl0IJC7w7KwzVwFs7L8jECkuIdMm1fv8:rxrp/,hMiT5Rb:vR0Z3k5Ve8X9nkJypSX[Csl7ExgMc3+DvhgEMSCR+ni6u60sHQSs6{dtHhO8Brj3yu2nhP71TEJtodiXIjxglbX2yWV9EZQ1GBhuUsfD/UgqHtQYI3nx1HEzZl1fJgT:utnHRQKSWO+lf[PGorHWK,GZgGEqP[zqNJ5m/TgeLN7m38v1oXL:xfqQg55[I2ijkK5Gd{ljsgk8o2MQj2DouGJ,wogMU,SoDfIDefQyw5DRZKB42XtEiU/YC47g9JGeEUAbcd+UW0+Vtt29mb2dsJ0RNPp[cGrFz8o:zL6q/eluvl2RjMi9+7dTv5W[a6X:TKIhuVocfVfrCW2P68OBoIIJj7n6VdihVvvvUwqJ4oWZBcFetcGu1n5bfHZ5kd2xj9SPE5r{DTFsYO2DGLc4a5ppLjH67,mrditJrwHi9[17A3wZ1uFex6kdOTJgboAUO5xiS7m[U8sREjAgwluk+5Hsht+9y{hK+nc5IVi7RfQZbeu03iGz7MVhY,pZxi23nxlY4lt3ZqTxVL/uAvEObfn8GZxYPsxVYh5o1R2KrE39rIo0dpawt:j{sVx[CstJQy+wGK+4+psomjGsaM8N6,lUFhE5iBHYPD4UTroV3s3DaO5fyOvHGvRjwssSVZJqssXtc[5Ocu9vvvgHlquiLF23Jf6UEHUV1duqN3+,vclXjzbdNKNY4TL8OlZL/vlJJrJ2H{H0/1gu78B4Vqi0sk85/k5QcswnNir5gMRIFIOn86Z7n,WNrvEj1lgiH{U5aCf68powYRqpqRscMBk0j{cvdzsOVWdQ3SImrIR{X8Y:FyqPowuhI3yX5egwTvadWKCRDM7CAY709M10sLjGCInbTb5Kf:cKVFnf/cL6qiyPtoazMIh{2woU4UbxwV0KxWktxbO64l8bMunzp6rSMcg263FjxodQHsmH4Spowv5Pg2bJaoJ6JReYrV7cXcheoyNpk1YWqewOjgpVYJnfihbnDH9HZwCTRICWgy1B4iUxw6NZM3s[lZg4mnBut[27sGYViK2RRtwrAOJYHLW2c8LJee+U8Ll{/yqjZpZRIM3Mj9HG3kibv[w{77SbQLU4DvMPQRgXs33QrcmQIrmInJf3e5uU/:60oMFF0p0tpE44qKTqNzHQoYIj+g77TlyS7pDd5L0j6gQHjvQsun2zk[2HLW9kePNsF:/r/VoGUrCET,icBtQFWt94VVzVMcIzLXk:Wgj[hNeNMojI75Tpwl+PNg8pqxc{rehkt[gJOiYyvg+VVQQqCBNd9mmuwBNqEtEmg2TxKYWgvi/[1c26BnGsvhcd0D1IR7BBJEX51hqGk4cI9ldkmOVSNZeTbP2MmTeo8baBzGD{kh2WDou,S7Z9QCnlJwlkbLRn/pK3OYZq4st{zzsrrTLU0j0u+{hF8FH[VpEgK0JU99q1mUtXqldW9VHyKxY182bnxr/2S22PzyW:qpL3DSIleq7npIgn4hgfu3cc1jgKyY+ewdAsnuz,RRIQkSpiv5EWxPRCNBGtVRLiKo061MznDp38rp3OWtKLG5oY5oLq14yTkv7n2XIULUe[JT3RC[idYiTvSeoXA6/ZxIvHtCvsSnkDQsKZb[BMhdzukFORdK1vMdNWqV0BdBE2o81oRsiYJpE[I7iKlpsnqlT30DC0huMvz3nJAVoPeSjH1tPdFpS[jjjN60VM1YN:BC0Ypy2na6nxn8wsCOhejrh2UMb:x{pmztf86kVBLBp4ItywTiHloicj1KxBH[UMCjeuPF7t1Quxp1b0sBcEG9AD+OcfhXu,AhEDXSIU6e0Ln7PZZGRyGTJfPf2tfSVWQJR{ZWMTeTjTPgBSyqI3gcQoltEb/qMFfkdj2C3jfiQQd2j:fpFktmRN0QZ1onvQme7lZlRnR,IjNMxp69zhT9511hg,fhv8gI+cwIu85t4b17PW2iVDNuZOb9RV4m3tJVcKll72oDI8KnV4h[r0K1upGzccXUvYPDoGYrG2Iy3zv7wRMDRgUGnj89Qhi7iME3wOGurgvWXDVT9wlTTRctfzu1bxrF82/RfUoYIzqOYcUFbfzrbZi9nsQHoXyjB9RdyHqwpON8n6bsiFNemN1YyZAKFrbujfQ0rsWrcmD6u,+IQzhDOTbuNglsVWqmS0VFQtM5G6Owb0WfLEomUBiEYlDij,Bws61I2YiYfJnPlHsGfnaqvyK21MYkJwJUW91bjeBMElDM0o8SOc1QV[c7XHF98iyJ7Ey:YvXjgUYKLrA{wnCpzYSpfzFETWY5hv6iLoPcSqlqxnDp1YKHgJgXhNv8bE32ZmO0ciOdgcAnHEQIS1OeZQvoK7qPVec2ZQZ:3Q7q1sIXZ4/tKe1S0ST{2li6zUUqRHioOCIFTdSlztosanX8ogl7wkBly{4VrTKWIwbNXrtyT42LyzG3jhz{JtEHYCIgBRuzO[32ag14bDZWQRJkUiosjk0zp7xeaFBWI3nfLP+e7,H5ve/jbSPBA:7ZuruStrEu5CgF362DPGXTWOfdfPaypxsRLJrBp5TY+8UO66OhachMwzXWuwiIB5dXurDpedDC9NVVd3YPHBtPsLsv9GNM0lFXac4h3uD7ITzrOffnXKHD89ZRY7v1lRmy0PyOkIReo6Flu58mcbt66,5XYeRzLGBza7LUZtsGcRRs6kuDb3d5PfeK+6p0yr2U+ohiUnpB66EX3:ry9sgYUsWhMmKIT7tBYO9JIgVoinOhiCQ9y[3Ge528Vr4DNMs8c1u{gH/oZMo9mb6XE1tsJiw7Ekk0HC/xn8y9rjque[1dQglPm68SXYvB2OpeB0HTLyrQ+fp1sESG5[HmgBtMFmncEVkq7qhk2J9Wwn4mPTUFE7ZJZM74Nb1o0Gact7xlInFb7sM9DmdG/YbmLGM818zwF4cIBRhN5VI2Y9UBsXiR+uC3mjF7M:6NaPEyjr30eKM3E04CBCys7c3iyFb6Xmt2mmd4RYwZJ{H{yHNjwuJbsHTPgR5ebxu4qt/eDQ5xSz97MXi,51GCQHZXLMiqYNDCjIctG9J4ApgEi{81KfBjFSO2qlMsAkVX3VqZc[56Wg3NzEtFIZXkYUp97:ryAd2SCF+MwXSkicisNYOyL4jov6/Epd+h4mEyjiDg8gmnHNabYbaln8SJ0[FDukUXcfh0w3yHzKMRrw7H3PRnNcTMSGuv5inKVTp5cjO:3CwbtEwnhTb2D97D7I+nv2srZGIjYf5[OCyqtgPPSb+wMVJGH2juW11F5G3iI0fSfMyv6Qcb1eDHLcfCl34{BgKuc2yz1GYsb5III{llWnksnRgUaGEHjsP:LzXrUJ8uEnnsDzPFTPZF8cd3re6lzGhTlU4Qts13+QreDOI,4UlkOR19PJSYNF3ISdcY8gmjVU5CoBFvuPeMtmhTt:3,JPulPQS1sM+3K2jliV69ZHowUhk4kOqTR9R5/9I5Veizc5+dKmBfBVwOUxNJT3BiCMbpW0aBMicm7MMCcQXXU4WIp[RrlbICSof6siAVP{eqJXsSg{wyuBbptM630reTRekcxXJTrzber8q,YlfS552iQYc{HL6IskSJvBNCBdmTMDKfYJwFHvu0WC0:NyfQw1D:MsxY0gxtn4spZ9AjT1BMs,k{LPqZyeag8cJ{QdwlrcCZB5w05VjRwvey0fCH8E/LSJO2x7WMVbIz7fzQt2tpCZshX4ps/rnr7RZZtQ1pbfwuLRDURXw,EFXpnxodQIHPEwQxOI8{4rlMDOkH361,YE/U2hi6t59qWvy423tIYrH5cXLcOB8rJGu0yzGFfvNQZHmXeCeJDliPBjfpgT0jPx1WGYJf1ckt4WGrjw67pctMF2MHcGVXk27HbTeGrB9lh0YgbJ6lGUWelS/VP32t0lqlgUTqpWfKFNVLsWxU/w73RDkHRDOFrjkLjzVJ1HNPHvmqlsi8mVmWjr97GgsOcXx7xRPxdXw,0PRSJbPoeYgRFEQeX[5HX7ApMBG3Zv1PTf6X1EbTP897fTS65haPjdKRTrsPa5e0Rxeu4vbjnVHwZi7g3HnWH:/bGUggM4hZrkak2KTpXV4bqWFMBiAbYkZEYE3GKY0eHdM6G9M9A4FgTYxw9J9QKPUcBFMRYKWpdvvxblW:jSKzasP08FBMgwC9e2NOtuoLPZLsNWmjr,Ss0UsXaNmBYgG[VHB8DwmWdmBF3viGqV4yLqWnxMozQ7nKESCTW:fGnYUVW{RzJXxkudKjEcz,26+5kudHlSHkSiGx7i1Gu0f0kfFz/u361WySweagY1Q:6MOZY3yBd2oe/HvpJQzY2WBbbfDg2OXS6fT8J,p04t8TLPv6xFxD+oImkYDRSFXNGqxX+TW:cYXybm0UldJ,ZF58kdhcuXAqyuWj6zmljewbs8q{pp5PeybHpKPK0sxpMno1bbwI/5+{tRac0egUc35k/jokzhXdKDMpS9Q[JixM1e/culkCr0MmFoEN5lz[xrBo3esRZPpQyVvvM1HUnz0lzYy3443db[nGbsCdkmHN+jijWW9nmgHul0A5H0P0FswrW7oySntYqjUXu9KVYQbHEHxlh[Z2tT7w9QeXpyw5ORnlCqz[+zexzxCcjq7L9[BjIS6hRuZ928Ke410nMnffMZimFDDwzmsceRW86{1EqT/7iPh[2h6FTE59uLiM3Hhj/9bRBKfJe[20YR1c/LflfqEyXB4eC1i8sWlb/Q2EQf6e7TsiEvuE9QrpwO8nnLeSc5LVO1znf3wedh6hSSqJqnfTv:tTOv7rhuZByDnRjhGejVZBtNqPBwmIC1YEpJW4U271J9+HEIaQnn5fmsndAlafJLB[PILZe{kRtM8e5oIKIWV,4zY5Scgi1vtTkSuG1YXsZ{c{2P42sXzzj2OMbC+3OIGgrOmCaHGgUeE6oH9EtGGMzN0Cm7mZ19wF0cOJrNK0A6jompbEMGJbI,eIyuhL69z7NtP[8h/BOXlDC70YpVs8s8LlgQU43retgGlJqHVrG[WWP[O2p15Z/eD[qDk6ae6is9oj1087ZdQZd6ptL5NexKH1OWrjxq1HreDl+oK9FOZ1pQbP1gjTPH4gm287z28LwmH:gz/qcPf9jLZqzgKqbeMCM[Xg55gxiGKn7{2QHBQbWtOySJXjXQ55Qgm10rAJNKGLFDygiuc8zRdFqSYYNg9VOrOJzqP{d4ho6eE8Y6Z3XC/{6p/u18VslQYzOvZxqsUXCxgtcPFS/qndseUbnNN[imCBSwX:+0RC591F4c6Gbp05TFPSxqrtoUYsWin5cbn8yGBTvvmCieVNlBR0SwwnmvxOxuyJ6dOCMvaKnlWHjTpy/MmS4bvM0grGOXvQVHE[nkjJdwqGb6YVd25V0KmKcZDKESupciN6G8uYpzne1ZB,PUVbdW8x+x4kzF+FVoTqk1xfXxgCkx148frrDG5,3qi4JFUrXl59Nc26Pe1,m,8XX977gWejE8UFd9qFyEKcEsSlRinU9o5Hw:luMGI6FZ9Zan3qKp5hTGookMOTQjGWnMERtwqUjb/cFEYTF6mt1HQpAo+J18L09pVdEks11SIYDb0Ol,6rLxK,2BNvCTD7quXSm2AxNd3:MwBVsz4oWtaoPXVledphBk0dEBUKX6qmGGFdlfziith[7WD[xhFdHOSoQ,dhrZVHIiYNKOBm7O6WjTmUvKCCR0KS6:sqVPCYUp27kFEEpus5aeF{/uajLPh89[fYZxGXRltpdqQ[jzs9ZtNH/BhxP,jbfsRs/cgCP,yMzEN6nwIGVJ+xwnSit[3liQhjQUe0r3Zw2V7QiLvknr4V1mYEoSuzsXqC8d47sIjr4xtHeGFEwbV{5cAC6hoSK{tWsKUGwrSjwYzoswmgBwyHJmYrVGru8S0rCC2X20sqoOE6KZA8XOTLeYm8lmCF1IE7Mh2[aIDRqtf8MreKoVID6E8z7zqRKzY0dwDIv5XpChhgxQhwbCXsI61P+PlRRQrxS:j2IOzzShaOTvMeszurA69{3Hew3DevX9Wc0{6FlzSVHDcMcTQXwgEkCKmDWOg,bLqM/QDUGlKg2sPwnUuUirBmKCmNs0wWfsFf24FNUeZl0eLRMyYIX1V1TPI4m:JBAiuQHYfqY{6FTqUmKYumeREy/8C5hc330naTafxo/PYSAWwE1y1k/G0jE[7twZgUFI6X6m7OHM+6Q:cJJ", "l&#l&#l&#{-", "xl&#l&#", "3&383A3[3k3r3", "SHLWAPI.PathParseIconLocationA", "FlashWindowEx", "Xgbaba", "l&#l&#l&#l&#l&#l&#", "7$8-878X8^8", "uisq/D>M>Z>j>z>", "YoWQGRRSPP[C[wNruJDe9UEBgwSHh2z1[CxukluNrwVeV/5tfrqKDCy7MnZJOcnpQaip21Wd2r1DOPc0QlgYEYHgl", "9(909", "9O:^:x:", "7'7,727E7L7\\7b7", "PathRelativePathToW", "2!2+23292p2u2", "0-030", "Dy)", "O9lRP3", "corect.com", "0*00060U0Z0c0s0{0", "vl7:YSKKRByC+xtCa0/yjmu4d991p8fcU{eXmjOhU31RUU7utM3yf3gkoDfNwbWEI1vu+UsVUtkO3HtimPLyqUVCL97H1iiIf3NWrx2Qm[RizbgEPDrCiU0BtmxlkXDSsXF2umWja5GS34xCpbHwDNt{511DxPnYVUoYNQ1GGkjeEh9tr1KMCdD1+m7Lg2gyLf3:jLT[69yMJLOrTUkICRWzl5tVAUzmUe6XQGuH5DKFxHkiEKhvUgR5G45IwbZQFnv7UeULMZvuA7JG7ra[nyYNOLcx3fhrpgzqj8OP6DKZ9Evlk04u0VXwmfbRyfzOId/EkLtg+HVBeMhN7IIK7VxPyFD[kZ9HsrTkvUC,Ox0[MH/IEZByZ[UjMbZIMSYZ+9usqj20NJjLzz3ZEbaJxzRN12PS3eubYPcuoIZX+wj7GK6RDmvSYJXKtZqNTsdf8e7l5QbxT:T5nREYS156+KP[djet4HZ4lNi18knilO7{XveFUgYDu{Am1Xewm[10B23u0CK61UJ2+djcFVj5/f32Bbk:Bg0c0mDP4Zlo0uGpJIJdinq9tdUf+vO{kZXtTzmuEzPzNTb6WiE8S[Fy5bMnU9qyVn1TV1jq7bh9pY9,gy+zdW6CFGSeriwLzfOJCfq8vRqmG8kDJEMsRm7m2W5D5DCB2O16NbFFmBDzW{qq8K8jNilUJbSF+c8sbsamBE4{4QfVb1OdozdXsDdy2KB3YkkntUYGHDu1f0AkYqLxHiUihtr,cqzRpk6Oa50CdCDOxQFKC649drMnEnmWueZd5oUci9cbRF4p7{Mq11Tp292yrkKfA2lJpNLxzZ6K8SpgvV1fVpUlMGGOpLjxirQxVvQtyDXr0iadYyCBCYD{As1nH5xWVn8hpiZFOvCi7{113,8RlVdYSVWXON3mmQpk/VRO/25L+gOG2Kb95oGV01ZtjWNUsINWTCUbNlZx0xgCRUe2syWnbPE82:CSUYW5BmY08EZp90uEJvNuw8PcYMkn8hJ2cPiwrR/4XkSeM4GhX7oUY{1KmH9pI9eGX7QHsV57uit,WSOmN:8ChJG2dkZ:x6P3Nb6nYCZzDGxKNoiOKFgZRn3Oz8B6EePGe9pPtxa5hpitBGomb,dmklxjhmoy/mPDzPIqvCZBwLfPrWk5yTO2+dFN4mqU0ZjU0tE,4pIsf7J[7XX:CBoeAlqdPm4GngNxiGooq3Lgtfwod0vu/d9i9VMrAuog19g9DzwZ9Lh2kYVjY:Fl3gdXPYOf1FdkAJ3gR3K8cIU{bO9IzCTEROVvTz3uF[d{vHRBGrs,Y3hucc2YlzC6r8z1vcsCLte:OQh2Jzmh+Uh15zqR7DJob8jjZV9FOoYsaGqHdHoJDqUk8XiBqBYnyV7Usgus4JHF4VtuY:tcm75QAxTqyFRf5QjfHw6Kh5ybJUHTd8aIQ2SISQrqikzi9rM6GvN3CyCCLdH[CBqCH6ICLXWjjbw,IPdW0rb:lk/4q7ZSK42EaXUIPyb0FX4eRl0lEEwdzNuPSykMCZPQ7hkJ687hpVZnEdBoYpd,x5cq+66yVfvuZst8Yjg[5jiusD/wV5g460WlK,mCJ3vHxr6TYVIgS03e9naQAMwm0fpM1ELNKXZqsXT3AEmsRqJi0Jf9z6fSncZYoFNDDgCY6KhMvRe7aSvIFm8MWmJHdZ2hLNFIOHoZPBm6YBqonY9j5sRtvmIir{qznWDV4dtG+bcsI9KcTibqmGHSvbQl8Vcby3690f+X0bDi9C1ImZyg9Wq{ibu45Ygfi12lY3Tx/jbSC3cq4Mp6SpyL7EK4ZxRyRowZiosTA3cWwgttc,IEuSP5A{HmR:FIEpsH7LBwdEZ3kZ1[2uZS55oka:eZFrJ0ApW0/PmsndyiG9e9bxqdjNuMmDwRoumtf5hlnfSEoo+mzeVXf{HR8TQ21qI4LndjlkwCJrBrn6LL2JaSunyiA60guHFxbNAWa:VzPYYe5T/Ddcm5BkwiAkYpn8xrNQzIWW+0WuZySZqxXzlDwnS,KFYcwBnUMX8SPCo,8VowfFP:pJcLosTYco8XbS6gVj4qLHlTwWPZMTC8UGh5GLEsqUFpAdq0jw85D6Ml9{GTKyaNV8zwLn5p/QTCWqnnoKPVqouIE9tGBFqCw{WYLb+qGU4GxhpuX8t7H0Xtx[rKUhKBE0FHV3kjSBRlcZAW/3m2jP8OByJ7b:JHNIlB64FIhU8,CfxpxVfCPrzHRVFUwU2hD67e3RFS7J8uSJgLQRmzxB356k7u5BKgrYZYWBuuyB0LbqPY79eL6wTusLlRLs5[suKzuyaFy7sfl:vSi2zCRq3OPfaSUvFFEod1fIdSsPE9D,3JfPKIxJ2BAICedrFxFOd{DTHVgQC[zTWUJMj{rMTZGu2SX6FsqZuMONmO/iM,O2kV4LMnesI7woT2MDV8j5l3LV4Bml+b4cMrjF+6FY5pQLmKIzSZmvDKX6uG6tkuFepLMOHXe9e:dJ73gqGfnDySZ3WPx5hHFFaKUgUGjd7Og[gfv2ksPwKsVw4ibLq2CBpHoPxumDmGZKlotFf{2lIzrghgqDnNd7RsI5YlYWQ,L89XszLHCleK9OOQJ9Tg0E+pEXgKO:WGlOemOUWSzPJysgmSFUAOfJch1b1wHkWkQDk[gYTKWqJvjNOw0Uahz,rfUBHoPknxGC5O5QKee{xlH9eOvJBnZwv[FrQr27NBh7sfp6P:E:FtCfAnq:+Cw4Hu7iotHCBJzH01I{AtLovzo7Q5ZYsoci71i[Oo9IMXdqotGmNLfkv7fSc4EpWPyx7ipTfNy{mHoSCM9z8NnI7SZNZP5UatNmg5fN8{gQq0261XXpyV/JUK0yssLuPoDCAFsENfI,zIL5Sn2fM:j3gJ8RD2evtsbtZwysS,hszXDez[5ju:JLyXHQmHDp4U3i2T6yYRE4fih84VkEDVAplvtRP[jTc69Sy,ko7rFz29Heb8CNNEQry5cz7W3tZROCeDv6wFLtw3x0pFuDCSu2jPyg94UIVmvLjmzOOyHt/kxYDlO28qwJDeTi2VxEOoG82jKrZdrKL3Oy7RbphncLYk+MeuV:FI67So9gvYsgGOy1K0gYandTYJDreFqOSfrsG20gy,3[a[0mVNHfF,EDGyY2/7Dw3SDDhr395RkRT:Zmbrd9JhA4468SAqk,CGHwlYZB4URCs3NjX7ijsTL7f37O7lecSKA59mrZE1VQJd3DeojZN8UjIDz0wK4lJU30dVRpP1I9CHIFBNhKJPWN1NiHjOfkEp5D2iYyulbCzba7JbkPOWHq6CuXxmuOn69zk,BjWDL32OvecU+6nKJG4Z2zJVWMuoNs7M2,3WJzq5+Qoqpw+cRynVxfzhcWOqCuZq3DKWlq52ZYW7VIUWulthprlxRKs,BHTcOcLugwy91JodwtoFQnNZE7Ri8FdzV{M1FIHKSOzG39WZ0HLhHk/TRgusaZUu3GS:W76xP{0Nrj5{Ix0luCM,fGyGolpcqRaikI1,3NTock6TQ7o,EGfqNCpNEezMSyrZ95tyRpEy+wYLw8quaC0uygvq7i5{CrZg/cHXys/pKRbWOBY1NFLb1mB8T3tJKk2lS:je8IPLCVU9mFPznqtqVbF,PF0RcJT1Zldm4e3lZTV2bUPRLm6[WoZZycHtR6KJDOzu9uNTSjvHj1qNTCjiqub4SeQd+4Y3DSWIq0Tb1qGWenYjCvRH56z6ReLq/KSBrxqRinBRWFRO9[f9c72wvefUiCVmT{sL3Rnu2bpYTDikhcRQbNudFcRXg9MVaTe3COOBRDsl/TeZ9RFutYs5cVMDnRmxC{iH/1IcmyvvTTTpKncCbHesMU+DsMfR3tNludKITk1ukIceAsclCvUyUNLpYoxYSJNVd7Jm6QyTARPhH,7{ORCb2Lf,1xg4qrggbZorC1p[WyTe0VYxXkoC6KVJgbc8tM4bGn3SAgV,vwmnAVG,c54:CurhP5aKY4KmA71{CD2ifq8M3J/t4ww7eIV:gJiJfuJOrj9hYksCk4TnbxFlNm/w4[nxJ{3CYn+cPnzoLn1v3cdXT{QBxbtDIi8X2Gm{NgIRyMbdVodqaXTW7oz5tzkOv[w4KQ9,timzL4eVm5U7x,FvDgMMtiuRAzKmqpB6mMonl[EgNIhDeMa2mjhNySQ3h9xLeuNDCHy8d8G2yf9eHz4ERJa:oYDnNPUL+uPGmNf7xBJQy,+VPtjRkDpvYjpNhkI1yFVERixVTfNMMGiPfIvYRYOMGCb8iY9,vE43yuw6Kzej5wOQo3ePQJuM6gcn/iKN76GUdO7hMoXjbm6TQszrj3kWc3dDc[7smk+qycmgOGwFA4qcl53LCb8dDch4iip1s:hK4KcLG:+cC3e4VKTONwVeq4T:b8jXAmXkE1HKPzSgaGbbQZgdc:1qvi+k3RIjQkJHB{/TAs/CaVZlT5ixhYQzIKjNNIXokcYXCfM2ss8k+TAgQzu49hXg5VQ56Y3UI:SXEK9pk30WnS80NK9QrVmr/{6jq5VTMKzun5pdUwPDdk7tjKwlrScr/cG:Xvw35697/Bp6iVKMRUbSXBoXDcY6pTEL1xH81Dnhl89VibQ99185mLWB80RHsBF7kdCVJDAPwykLrFn{+FljuMUjO5sZK1ztLJeVx4bIdieL8JH[JpInVsQy0iqSP13YGqH5xHuIoIy5agKs5NBlQ1l5k[9q0R2uRxnrLj3jrUJrc8FBt0hQ5c9lbvY4VhQgzXKlQEpLUr/guBb3/R+1Axa8IIZyM9PutMPvOdB1XTrIgkPB76/zB{wLEDggfTkyqzr3L,YwuKapz:UJ7xzunXT7JE3PhB/cV5F0vC1u9vV,OmNkkWVdfcpFe3NlmultGYcXIZRC0fRfYIO9x3tm6v9wDzRgzyUTrWDqIldBVezEyhS3vIK8pWr5SS/P+b5oE1ld9,Hp8fjeuvIvSb4M7vlNKC10/NoU2:oN+dAHIrTXvjB7AnMBu8ARv1RRjlbohX70M96Cs,ugdPt4y4I:3MIW6NThjj5gcSIv79llDMq2zONdwnAD6Udpr8qpCYSs1x539GfTe,WfFV+QCL1dnNeWO:NxyE6o6I2OMmYp1pi2A{DlQKJ3i3V4NTOMoolzA:shivA3l{kfu5e73UDHe[RLGiOPevdiEg74Y,NyffmFnkRbZmbwQke9g[HwA5a6i65ICmVUFzZVyB11/rM3lwxcd[UGJmg3lOPrW7Vz+1nVZKgiWpsyilwchqbcPY6HgXyROp9sTORqzxZb3KjZOxdSzedj57WFMr/rp1tD7,NZ2MTtOdzj7zUNJ8kOpoPJi5KIFIu:FFNfAUh:2QY66glSi5yEKVWtXek39XhgWG4NTUqkgjVmYpa2JCCL1projQC2pwlrg:pXbMGBLHpitOZ8JvNTS7wLemY3bOgdhmIuL,GLy34lFqJN5OX{EZI5O1wDVO3:aH3Ch5IVcVqqQh94U2kCa5083Hf9R[KLtgQ6YB2DdzLdNGjzMZob1uRrYZ/gvqpQ8suegiR{fDSmQgpPqEvEUfbXW8sWXWZBMK2uaHQKvPkN0930TNN16cnRjwm:KvSN8I3SCz5frgS0iSXk73MKmkdw6W/efrdrvFIyXmUJI41WFphSUR2r4fxHrUlk8tLlKV/xiDuf8Wdx+GYJUMjHaeVpnOyEf3ebUjT8cZm:FfY{e:iXAuN78ibVG:zHqJIxuels6cF,ggfxOy3Kf[7RObt38E9fwCv4OF9evWXtqyuXpNvw0tqmog1yyHfhGPGVj9c2RXnDsCfzQ4klTMnMTji,oKebI50grht1lh0n431xvsBy+wJJpPLBBJ7LWkz020F3lyRMshd9iLiUQ9dLe2BHgzDMLOdjtMG{Djs0qNJC/vk{jy9NG{ZGSKGNXs7MRH/9Crf{57qQGyBYRXwiCMESFxWmHn2exiugM58y749TioU9O4T{nMaXT4t,+IoTO2aCI79KKjwSVtC7Ju6y0:ms5Pl,BZQggqpOsK9{ihzp+M66Gk1BbQP6Z6PzuodMq8HPeew8CyUy2PE[Ev+NrpA0RsYimgzEt4+NVRoVncuGY:r[z9QRiil8VegbKLIu/lF:X7kzhoqRK6mTyTO6XC8[mSmQIz1:qSkw45w1Dhq9ThEXdHbyqD0G+TOQLqQHmMuwGhx8+MJGeMj{xGPoVN17kJS:G9qW5[PQtbgpnsPTNuMDn9B2/GKQymj0f:8LH5+M6j11vu1erpwjQ0+zJ3mbTozXG8yn1oI8NmDzeLY0Y4wu5Scfird1m909Vb/cF6IJfkpHBnyT8nUmJmltHY1w4wrpHCbH0l59nLHwwHLdPyvIPUMxbgT5WFm18sJSPmbJ0lxxwb8bt3fKT30,8xKg0uo7hDol9{83bvpwVFYClOE[2tkevlvgwve5Fu+fPWTV2NmZOLrqOjzKtNvmHqUPVUD3g4qHiSZRtSLsaUMeBzL12K5yb0F43pz,+XXOkZGdhQO01L78EI1Ca438PW9nhVf77nVIb{FSWy4d62+qHc2d5:Bx6RSijG5Bm8qFTh3mDEFi+UTC/5FetohifZHmT0n0p5G6FZtmoUhjhG+kVb6INJ5GrOLXbj3IDz1sHBbrkNju/xq0GoFfuV8Hou50R:ufPbqCC3M,9Htq5BpxZ:Z01rnIUu2Y5lULGjP20UMfjyj9sZCqrdmC7R5usjIs898ObrHtt8pLGLw3pI/", "AppendMenuA", "5%5,555?5D5N5k5q5}5", "868Q8W8", "2%202:2H2M2S2f2y2", "Vavsrubepodsjadebrooli", "l&#l&#l&#l&#l&#l&#k%Gl&#l&#=T", " ", "WinExec", "l&#l&#l&#l&#Z6", "8H:DG82dFrncoyDBhkvNne3NvHUsdv1wi+rtyOIM997e9cBNjkZrpDv9n0z5OyJVOtzqM2u", "888A8", "0!020B0O0T0p0", ";,;4;:;@;E;d;q;", "2*2M2`2r2z2", "MeanOrrabirogirtWorkGawpSassPirnVinoLotaPledEidefe", ";&;7;A;G;^;d;s;", "CopyAcceleratorTableA", ".text", "?NegsgirlGhisKikeMeouCapeLimoslitcobsafarRyotkindbahpi@@YGEPCUDiteDadaArtyMuniod@@PCG@Z", "989>9G9a9n9t9", "l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#r", "", "575=5", "UpdateWindow", "3(3.3R3", "5(6.6E6M6Y6r6", "1&1F1Y1n1x1", "FCfLHES7H,BLun6hRfdYUBaxqhutejeLZcw4d1/bzlKKX3M5+cZQig106BOF9241+wBOuiipszfjbMSKK7F005C8e1EpECMFk,WCk:EoglOf8L1wioSEgJ4FetDfshzddUyyw,Psfw9KbwZjS0gP0eCC2j+gi1RChRXEGsWu5Nf,TDJzCJuDLxzjifQxP9uP4jAGb4FHhXjzRr3mRlt1N[l9V3zhQZE0N8FF64/Tz6s1TUD450gNK1e{mLX60hcJS{p1toJ87bqseNQrXV9yS2dThmPfPDVYLk7KS1SFt83CnhjTsjy8nw38M1h40ntoKYzXr4T{eVt6rKSf4XaUZUNtx4vMrq2Y2BL2GV8OHw3qSJPsnUKY3Qn1Do007rOvE,sBojUjKn55+HR0MdHIp5NRm8TK70hrXwscKmvwL1mFSLBFB1DRN0R{Wpw6vYkm/0eTsu90/Qpy9ylBwxbqABbl4TuKlccLWoC9LsG:vzeUPSSrxkXPsYNQjlvb791NptUEJt9cxCu:gxbhTDI2XMtsvE1Xz6Cr3i4zILX5FFe250KWtSsYuJ7EQNYjdnss5OBctSdQszBQU1JV+JQD3yQjBqC5izEcv2gR/n5nXt5D9XmBETb2sWs{UGvtGz+wUx874YdpUJ2cJ:h1z3Fgr3X195BCXSZJM7RLvDdeQzoKzQUwAE9Ur9jfx15,t0tIdDZdLdxMFPqDaDC2FogytbTIGOUWNT+97PeCGH7ML5xNtINqOZrDeDbUp89GGxeLu,bj0OyDyeaMvRaYJjZlsG3,hBKVi8ZnyxewiOHqJ2kem1q5vuu,N{hU4j+BqekeAW7QItSYcLxspmOg5fXo/NgeT[2duepmtpLq28qE6w7tXSJpXD8MFCxur3H52b1S0urDmuw4lR0,Ys1cEq7v7X8zzY4Gv6jYbu0Dq7CGFBO{OUmG2qq{TMjq7v3fDH9kKdIMi8+{3VdhvBu5HG+jfpjR/w7UmkK9oyzjMFVgf9ibZMDEuigLB97XfczRQE7pGP47WgFcAQWOahNrso+5Ymazj0CQyYsXXDdQHLPqA,GC8eULgEppSHTlyc4w5VS{O[fpO1d{7XzptG9dCesbWSj52Mvi1npqdIeQAveRVLA[jT9bbY6,aCEzI{7oBOWs3URQTMhimvOGIztINrBEivlhKtxDMTZRohq{giW4Rg8za80nTG+NHSg4C[l1l0qixjq{WS3xw85eQTSozxppSlRGaCJ{OKP3AcNNZMunUzDUx891K:H4+Z+{DTWna,34PgK,MyG6I:qhEed08Ll[mq5CAMI:vrZORblkxmg,cCDdzyf7RRZJiNE[nPerboeYpwhQ7fVLn4mmwJZVVDe7k06ovceJ5Yuz38sEYfB{BRUzE9Zn+CwomZfbIHZ90UP,C{j2iEu4ZTBTrkS{Pq2iLo4ERqi[+wvNRD5x7Wn6J{FI7VESnwaRWkjtKnYnMH4gLZGCMF/Ckz6ohYXK0c0kLtud/MkNeNoiKwLcZhC2U7OHJQt9phhQk{LR5EWH2oie/Kk4Nn+pGjggRkskDRqgM4kf08iDFRZM4LUbBIVoNt0QRjd:aYxbR6NZRSXzrdvjvls{4XsLXZTw09gzgOSJHqL0cU8pKBiTzMZ{wnUvTSoiVDdxZQIWKKuyWTMJuund/OkCr3byTP+qCgS3KEHxn8GfdEVZsFomYYjRkmqXIDpTyJ0rc:H9ViWmE,1eHMD6uJtC5d0xj1rbdxu8DYz1rfFXQx8ZwnTBbP84UUQN8e8BtYtNaFzJPOvFmQ/PGl4LDRd,V8B6IegiPD7m/u2,/eL975cLiRPRPLSb7i78Adt{W,cR2wuZPLzZBjXLFgb1lYoFjQre3i2hNVHq0Nz:wSeoIxlB2o31h9XWcdSjTtJmfFADV6lxgZ/D7r4{KsZXQHadzuGyF1B4MhuIkUCCF0bYWzTp7YEopYRsRDtLR98jGtFV+TjZq,06BQRUBivZBMTNRi72jg1paPJNhZzfIx7vZ{utx6E7I8Iqzf4100jLQ53iAHbu6mFmm:cFzQ/eVWqom,8T+tHjkZHBlMRVjgrW99+zmg3[SUE,VhLsp3mzpMB66EoH1{E3k{1D2FXMopgSDRJ9DPD{3pLsBJvvgH2sNyt1BV9e4xm{Gd9p+C43b3kviv5gjh2g4jFtWhQhoOZm1[4ShmXwIiFQIukxk{QcVR1nEZEc7tQ{OsCZDSnQwdW60NLYhpj4+uRgcwT5tVe{F28XklEFq6ntjlMP1kW4uW/kPY8iDHRQFBmRT39qsgM3KSmFq:bLtKaRzT18ou2QQLdLMtdrcQg4t0m946AsQDYG7L7Eax3DJT0rBpn9F8578pUnHlH[WeR74kfMV86USE/KkMSwxKTq4xhq6bYELtk5U{2pyuq7SS7Ser0iz0cwhGelYWI92hDRq43lX:JyK[K6BtmRxct2jbpwxyr3HoW1zh675xqxGLa6KYpcr12BW7HWhuukBRR1Y7EExOj3OXt8ddYhE:B:2bKix4UMsC4Zuf3NobLGeuLvFKuUWKA8s7vy8yVjbtA3B,IKW1vlxBIC4ODvsPRK3YTlfZuFwraWlRh4rhcLp48f5zL167B9we+sQDdW9Kl74u7GXWWiRGbLUNuL0EAVYFDTnzxNquHJBZXMSl68U568/HXsXsznMffqeJqoGr5ko8cwP[hrjzhXs2jk6HT,gVbORkM5Rl0qfuUFDSx1SgbZu1XNdBOBNTBw7L9mSgg9PJ3ymfk8kCyxAjRyaVXsIsXHB:N5rQbybOfMjyciO,nve8cMiHLlOVyY47vNHLiCkZReexffiYaCP9879DeBw5B[g94s8[aSu919o9UDNmVKLkhTszobLCU88XzQ8gErT2xpLhaC1qQPODKiSQ72nhTUfThJr{zqD7HfSZS1I{xjLNtQAY/RXi0HQ5iGPjmF8EcRRrJeOL5rxLKthZzNtBlBE8Apa8U:05MGQiFTYnmwicbV+ym37SVmFDJV/Jgvnu/3Y9nEUH0J30IDWH+PcWYjyMuIh3y6CJdXz,B{1sSS8870eDP44{Kk2qrPXSJW7PCl34Je3:vNV:rc1mRZGFFkRYTcf7V8Y3+HVbsiP{k3fLa1Mu8OSNItsHcdH1InuUn9F6CIIW26+iNzMDVjg4oO2EZbwyUTcsU4ntbEXZ+KdGLFk1HpoLOkEFkvbeY,2lokUBY,itRwzx8yoGrGu2ZHGV3DLwMz0TjCgz+CK8qChK4d5N3vwSgnb7zVqgjtZSO14JE6qktpX1TRdSR,Sv3YTuUeHn5ytkhL8O07/mHwq4TB7XcHWo1o1dB[3LeVoq+LUqKfDHif/64oGHyoyNl2a1EYpWtVPV4d4rzWq8fQl[Ks+hai3cCzt7uvFOU6AYKS6WO7hCthoM9W6trgCcd4EVFPlkW:j0f0bsjruMjV+Y8o91G20neC3W4ctxw:kIj49jstFBQeaV4ljNKK7qx2n8aZ8PpllMGzPbr6q7XhRmUQU0msPggOF6V4GfFhPDWD7QQw2JTijjliwECICzdMPRDpACW6LnJkDRdNgm8tinRyVSYcFLyPvIE58IVNXscnuJb[ieIRax010TDb/{pZRtfc20TBils{0{3iIbNUXSa5vE9Kg56{B8KhfkjFK4QzxWvtTBhRcoLMx:XDEeLFW{K42JXf/q/b7YA4CxnVaCIfqsvERoA[TPIZvLPnflmSO8cDG{2xdrUVFqb9Clh97DahDhlqwJxUYt8CzmrDq95KIkls3EFkCp4UmuXQFrkUsbSSvNY{zL4ytls[BXDTu2TjVRVnAjWz7caG2PweLrMN24jXkKh1LQb2hmpTu[98JMZd3[OTH:Lqt84E26YjTWATZOCBc2Z3dkcKT60P4uXn1hEnNOJR1kzXZ7mwTzj:Fmvh6yPyOTIIf75772Mj4JIDlERvjeg7OcFe69q7RcrnAlATDQdr2PxN2MtU/[icO5Q:HY8XO3M8ektkG{eb1TnBvQIHrNf{jj5d24ZwwTPd/Yvgjq55ASMt/omOUXHkqW82BEDDDTHpIKmc864,guqjUdGZBZ9TexVsbrRU8X+bH2ri1[UnWPjYQe5cj7aleg3Mvke5FIB6hk8NKbuG02W2Wx9fRf8LDtS4KPTolbGwCM0nlC5wtBDfopbX8wrcrcdRITh7Sl0xM[nrCDBuUdOFgUoMssMqdjrEWd97MJeE62Jvh9+Pe5mKzLmLHkyCk[Qgqd5cG4XD8{zndyqzr9ay8:qfEFwcyrTX8ZsmtNLOxKL386X:nRlTCrK:Sonv7hnPgCDycn/G1Izim4tjhqYkJUbBcDeD/kui67GvQnx8JEzT9Viymgk8Z7C5g,YOpOG9qImU02DJvn9RvWhMDzZ7/71ilVeRN5IzR:UwLQLZncfSncGmrcPLZpLixN3ZYcARbPQbgSibwvS[I0z[ecl2uX6QsLWELfg6/lx0puvDpYdDhe6{Xb5v/J2gVM4Vhf09q:UMM7bwWmMplNYFQiZ8Dt0JX,THsEpmmWnK2mbHKtRgBsuddczGt9enKy0j5GC3gR0KS5a8Lc+Rvd8odqtFp5QZ1qbZL[xhmrNl7r9l6S5EoOOTwCBXK9yG/UF5iGkOADzUllCl1pE2kClg5BJFVnyHM9uBoVWML31eNwOfxglXhzDP21mfYL1{j:evCK9NF6rhpbOeYX8tdLhcG7bVT63HuTYLIKLCo9nW2bLMXikmBqTZQ2AtQxYHsbKcshmsJBoqxgycyjRkX6T9VGCPLDWDKT5yFhC:EK3rYyvPIZJboyb{nwP,eYQzvG5QqfOGsZDmhC5iulbnSrdScJnbaGBlIcmd2[D1qkIrRFIrZ0iR0IhwIw4qqQtOZ4CfdYIoIsR5846BQGpX6iumc077vS26w5NKdOpUGzeJ4Lb05lVxdI4Yj8UfoxwCvxnMDkUfaSfchqagrvAxn4ObOpb5QsAynnvyK[SYDP5YjsYgdGa7KzI8EWm,9eOm8oqyLFJSKdsh4J0ouQr3cxK[otU{+Dqzh,0eAzVyIylYOjYb4vlS7cdMecQBvCGVATr[Bov17P8LbpxVyuBtd9HLRwy4kf+E4UsFl6t4scQRsykd1rUrd3FcgsOQhl8LQp+wAGmlSedZb2LOlLVzypIgpxiGi3wJ3ip5vIpimv+cARA7v0GqXKgBUVDmQ00jvKJwNfmZW81GZyszWTvcYVZ34I5QMvj[b,h0vJ65uRa[x7dMLKVpms+xGWjZYijTNLHlDhuOitBUy9fWUeI76M0z2nMIaIv5PDE:zbJviMH,eyG4PMw0A0FhWO9seisiSjI0MMfeqnkphzb[0Evo5KYm/yfX2:PScE914pVtWdYbFe7VQimqbnQ33n0uxYI3i{4x7z9xwPPCxv8EjJ4hNqk9Oh0{rfYkvZBtNlR:gEPMB8uVVsajYyhSPE8rZ8xDx4qgfisnRkrgAlOXxEDyk2zl+gbTjlM8P1w00Cnkxq8phMpB43f9Bj3sfCv7cJL1Ww4G9Os0T[2:SSKNmVJ,V6FRKmMDs6SiNb1[YW0IqSkvT[Tbbdb9j9w88lxONQc{iiOZdTj1pKkiTyeN8upoH:gRvSnqOU+[5vL0cXxTddaHngRGk7kOWPnDqT+7LXe01MWzryp0eLV9abMdLkc,P2RegusQJcU1cMkDn7CgiU/sngxsFyv6aZjLdPF3A82Sr6OJ/jLq9o8oI:cnW8ppJtHV597fmJ3rKDkUoccj7X3Zn0/N+bz05G/lV87fyOw:bX6SEf5dS1YX8DtX9Wzz19t7hof0DUK{bgKXq39iQUogeb9pqfj{+1xR4sHLUMdh7fE4k3QETYfSH6kJqQKKMOhwdFTmj,4Svv5C2sGm0PhuwiwiUIJfxXpu2HUzmi4sTSvxuX9NufP77Zchb8lDbv9y344:dFZX+Ddjj9m9YbcQ5JvOFbTQW{4vMbIQ3btjLvZyE[FEjPFvJ[KloU86Mbel+1N89GrpbzfsM5k4yzWJmzaDhX3bToCs6dwfNbz2jMLXMxAy/e1gVcmGbdiT2KxMJEQQvTGM6zJqZ:G[h9NBpkih8YtLo4eSHrp3mz/7/[xYT9qw5hr0nx/Vdwg4XOAlXdaCQXdg14bGBOEDaxxMD2Bi3QGE0SVq1NE26JxK0wECcB3jXOdCMvq4EWGvz2dvAyk{qqriPLhoX9sFpYCvXJ9nCDiBn3lQWJdVPlw0QXThEFCbvYuOGlwJqzEKrc8cfRO3nvb6NbP0CVBWASMKb,iZ6ROCFuAGj,TQdZlBzusKFrQ5mGIjjyrjits9izIjCfEuP6LjnB3:GOoGv3BNqvhS4lYtqZDrO{B0byoQdXjUgOvI4EQw8CiZuQ4DX23L7yoOFu4mK5ESbts:G[yEp2ZYK5bTyEqUpPx[3RIlF,tWyEl5+jI8QmcHv5B6A5y6ixzHVj/t/RYY7:j2GhXPVtvpNKFIrQK:F2TPfCVbfCqXnKhlxH24SCdcxdSy7D/BmYT{poqqOIyCP{1O5vNwVjWfgLtITHPUX2gNE9XK9[Ll7IiFWUOH+V9lNLzep9sTIdCn1RQxaWDV3PO5i1cniRPs2mpoghk9TgMquDpdD5qu3UzYLJBjcDzERLnOGf1cNqQbcYlHxo2pMgI1MlclJhl2flR4OQiC+LunY{59imL9b0k5CJI[PoHjcmm9gKK9o:DsmVAQUP17FW0oZz4p2ho7zP0txnP", "1:1A1N1T1", "GetAsyncKeyState", "VkKeyScanA", "SuitplieGunsMaidBaitFeusJiaotodycolyAlbsLuneToyspe", "=L=Z=`=l=y=", "SHLWAPI.SHFreeShared", "0%0+00060M0S0Y0a0o0", "", "2/242@2F2N2z2", " ", "ZQl&#", "NfL4bNeVlBVs0kyY+2ZqQ89V3GoXOqIxbK8r+TE9ejaG4hxF8,aEa8JZL3v6SIuu82xF+2M:8viTe", ">[?p?", "Km}0+", "my!s3w", "Dy~J~", "CJ\\{2", "l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#", ">A>I>p>x>~>", "9'9L9\\9o9{9", " ", "+Dl&#", "869<9z9", "YeukMags", "P$l&#z", "hil:IMVly1o6To8jEFu8p3IEWY7tyW0drRhPjrAN7t73rcbWc2+RtnTSnLUfgBZ{c[i5EfZ,RXjBUcZ6nRL[yE3b/,MFx9F2/", "8.868M8S8\\8k8", "xDjB[xxam9BNKWJLHoT9f0uhlQoz2A0PStCuU+tJuvGDYy,eEqGyx0tOp8yFCUO6VvpNOi[8p/hU[LGdencEimVaCelG6+9MogYRKtxJ5giqSyszCzJOFJWrL70j:G:WkjoL3xO3NgtqbVeOmJOP0n6JpatcPeDs[5H1MNrwjqqsigY0TRTBrnvKpmxJz1cSKjxGEaIBQT9R4nuPVplqF/87MDtPKRMbWum+b7eMmckX2nbzMmx0iA1Z9m4WtwRsjmHhWuSijVhykN4t0MqE,87+lVSPH29dh2w9vzhzdRn6Fq74M9x3GCJL053aRnS7:nH3x2r3wrFnmUe2T6XIVCiAL/Pbcv:UmPZFSDikrcqWcW2pfCgigDknPdIVdsBVNfoIvYHmBWJOpEoQGeCmtB{MB1mFWJS4RRd18QN3ZnIcKl{ql1j8Nef7NigRT74NjtdtUpwZlSOo9ZmneDEn0zVtCEjj3XeJGQwH2W2mY6jWuhXWQe,IlrqZVXWz9jUE2yhcPKD/89,8WEPrYhLfOLgZd3YY8jZGcYqlK365DpSXqPJRWahRR9i8F6VZlldnfvmhQAMXO7Xd{jMpEDKIKI{wpe4RQgd+siIg:TdOMg2Mg5lEjcq4E8KuSb7TYWSO3n[RYLOreHe41tvLz0gmXcMgHkukmr91q+tkmedw8Fly:Ap/uu9u,B64dhFLu4e96Drp[9Rghhm0XaR7LAPS3X3YPzQTHLMwiHZdqbrJzR4RYOJVtsz7u5BfDUmLKYoIQKF0ERnrUEKxZIUi93DqDkhtNS[X8vcqSMFBocWWnU,IKEb2RAJMUxQ+dFlfkhk+[+MMkjI9JxETBIOVc4IqBFZInRF7XsJLwD0mZx3O{iI2lSrcgBdnGC[kGcrulEVgf+HSH+,6pwK/jTiO2bv0UN1/1ndeSDqYbaln9eHS67BV1490emjzeBcepd[PxMwsGOTDVkspRuHoDGWcmOB6JO7/tHU781tXEihDGw0u3oV5238rYPjY{L0tkKtPsafFnKDAQz9Q7Qzk6HhgtLflTqWfRw5zt7T1h6spfzxfJqXkb54tphWNtl2ujhOwtA9lWf,xc8t2XSDi3RfK1o5kvD60f90cHCVP3B,QwAQF{Nn5fveQwdNCxjccM08+5SMSvx9y3b4m:GKzVDz5z4pPFFQ1BFS0C3:EDg:3qjgq4rl+7NlceKVVK6YpyjK1D1trpKl2YnV3BdOe4I4ZHL4DoolnHoFGtSSxe6rP1A,ukT8Au6J+tGntsFHIeGCRXbqgeQS8[fQzx+gp,UrqZSTGqDuBUCmHNJJI7S0LJiymWDZYZIr2TkHi[X7tCnCnetHqCtyJyCwUG/cwYc5QHIcxVWHMb+Xew71b95I28XPVLinyY4EzKU[rYmi/VMkCeBciouky0Yx09krZECWgF13lyEvU8DVfxLE2VcdUvw4K1FLZ,KOCUQtuYQfyCzmGkWXxl7d8JiRF[36i7i0erfUiKr352zFvJ76bKQsMEBfDCKY68eVTPb54hXXXl2kDzbZy6+[N8pMoMPEEhwdOdIBKzvkcCCVwSz6KeqI+9SxQwDBdkCIzqD5u4dQx0Hvf9usjkHE3dsnVrNfFGkHUhVfKhatUD2u82n5AYfqSNKi2dKv+66LXYmP7OdKOToZ4BxMAuFcnPJR1LIWas03IWvDVwVgIn34NWj023rpEPhBi{Ct3P8FThxM7cTx7qp:Xz2SxS+KJ7kKdWHFYit,BpX[meLZ5nS0BmcqzKlLtV9OK2ZSpS7FRFQ[X:VHbq1BUvXp99BwL:1UnOZ,xGxDF487kQOztE/tWu3ItYP4XkeVi{nU+yxi+TQFLsKxQ{P6t8hD6xMSpfP958A7otw6J0Kgq7wMo2n9jpMJswVr3C2zZ7g{Z3H3FQF1eVAllxYd1dX7M{YgD,JSVSgiGz+QkpP,2:ey3iESaVlnOi9VPOl[Cs6fwllH3yZdXWaHUH0ZGmhK8Jv5Q:5oGho:0Wuih0s6w1Orw4IzQu9HNkvxS8gwHmcWyCdJ8Hf5l8DXRoY{M[0:y{IRGbG7HKVs5jI,uhfJYo2esJ0PzfoFHWCg/KJ,+sYxEUgk8K84xKR6N:j:dP+ml9ZHAwDTrEOnq1H:a63BNTwIP8uxTCJFakflfnTONYnRiTM:uqZlNFStLbR{yi8tJvtiwGNdWcsBgMcDD6aI21eMRG9DvW5jWlfj97bn4dZRTvRf44XKpty3umYw+BU20cS:K7P4RnYcQMDzKy0xAo+GoFl,xf6PtIOczbqm8Y8LMiDRBf/03N1e/dS40qMRdB/HNXrfLBv,j3XWHXkc+JQ3LRE5/6Cd8Ohx+yAvG,Qwn3NxpRsch5XCGE956U1LtHuzE3t0nHTSUwvRXTmk6JAN2QNr+Dz59cMDnTqhqcVl9q+z2ZMnN0i3FGNpXz8QX{6sIFRmQFBCPJbSkjj9SUU9PUlu2cuBHeA2E60fg1LO2gobXVvpO1K2zCzpId5z0Uq7XQbIXnhikKgxMJ65dy/K1vl3/J4szHPFQ4+hcFXXZmFN3:UfvYrO0u3OqUAdcnVQ3y8FEEw69sKV5ult/pN[lKi5TmPubl41Ru4oGpFLgv48E2U9hhS5V{9rwNxN3JhV1EQU7krKOzHsprtNev9mi5wY4,I6oFWZA:/U74id3yHVcr33h{B4VrYoOSxF0b4u6KYxYv+qG[XFnGvrt82rsn3Wl63Z31pIO,1LPiJpYBJ9QoyQzYvLu,xgRzmlwoPuhVdMlFsxKVUOwfJL0TImfZN,cOzBvudPtW57+:mUQYOp2wQFIHF9KZQO/wpwOu0z0p96byPWl2e,7N8HC:TpGQQ6G9nMYq5Xlt0w5El34Fn8y1o7KvNGiPAVq1wL+7ElBLBrsqviK4a,0So0t2g3Co3B0gvF89nNog8:2BGlXs17ex0fos7YHKviiwvOXiZX/JeDk3veRFQL18sHe0L5jCQl2mWwhFqno{Ymw1gm03d1e5EDcFvVBWJQWECpEB7TTsQHh2RBzqzdsk0:OW/mAjisUSwLFw33vYdXJi/VUyPYs4YP/fDBpOcerLVQwVXDNScGUcCNulVP6UC7hZ3HTokrHJBMAbSPLK/VmyXRq3emGJHjCN5hO18HNpnyWHf9tC5j1g7KhDRgTOnKkIlWp7dYsTQ6y[6EjzvmIJT:6QlPeuuUVj+GedpuN31TAlZritwupe81J0ZN4v8Bzuug7[I4yOtMQ0N3/8DofpVOERzhlziwKmv2xcfBARI5ETuWIF5:iq6SKDwKLxEEsyq6txnfPDMUEMRxxq61d,OxYMy9D26O75cWrEezDCNdQg0:Y51lJXnbQmtDaubTVqJJHokBCjD{0Z0RFUFm7Jxl7LKzP{cRwvryxsx8FUUfyrQxXYZXPiM0c6Et+Biu6MmSwxXwLKFcTFJOaHrcn9FLAQEPPEIBtPGZKUMTVMh37LgfcNU[yS9FG7KNGFN75dwjL6hGRKTW7vGikCn3gUcts:leTRyLt[Te2RdLQnv1rEd,a[fCMuom3z0mNCkCQuYID75q9o2tNxSq8RBDax3:OSiW/4+4CGZMmWvgTybsaGurem1tQN+USVV[DlRYmeVrNVUTE{Ae1ItoBc9z+0IyAeJ8QJ5hRcdmMNxQk77PN4/VSPbsWD7Yv8eH0qExveztN{p4R,QjKpImbKlFdjJI/EouW6vzaSYVvvlk6FeC6UO6dIUUAm0nKYF[4rZZAx2unTKEttdViMqtP[rfGXxDxy4sRXdpNYI6Rx40cuA665jvxPV3n17wOG50L:zscKpg1vHIFrJhsFNHlwARq06yWxRBUe4k0ki0wHQVh{o3NzM[TY05SSVDFif4UFKXNi8dTFAGkchmHRAKGDbCZyUUQgxjS8d7EzQ4IysBt3WfoU8YWSLrI{zZrDYexbrgNxBMwKWBnOZUY4/J/zbnOgg8KCBQ3iMUtp349pg{yWcHenz{f9nVp3ncr:NBNcWEHpn9MvK2jlZYzSzqrM1E+iQJMN2igB4hQgNu4sq2yUxDt{FISCB73Qilut5xU{I7y:sJBTezfc0qLFjq7mDmwrjbAmP3WlVw5Bjp/wfCaTcIo,/nE:JmSgVvuBXN7IYDOhWb6OZiz8OyOW2GO0yBDsBNnSVdohIgx{d51nzQf9ZG3F/TusMu/yDKd7H0IEL{GEwE9WFr+:YiwReYxJLrU,ckC8LmQ0m3Q3J3qJ7Bc56cc[XVVmR,eBOq5DbLdFUd9uRCwbnueEhrH1KiAUksFFpELhnVDsVzsGITFWNXuCBXD98SKVUWK0GnyWiRY4jx4EDnRIT7gnY9E7B7wg1,0ZjYZyrB4,hN/VWJ5QZHyWDOINsX3vg9Kkm:02sv5YZHz,SzcxQFLZdId9vLs7t17pe8An8sgyfoOpo4eJdnltPE+N1I2TnwvSZIJpvJttsEIqqBJmjQJyVddQQ{mTqsCv3FH96t33FtnDnrY0yIcC8Opfm3c7Q{US9K5IVOw0oea:sCY2n3AIieiOgEUDf2D6C[R9hf/4Pq35EV68mqwGI3zvUplhlN9Vi{QdmwN7i5AbeB3{XEfTQjdXBzzhbhcj6FY{RleKp,3ZnslSL19n5ZFNlBdV4pwCqfmkIcM0LFZ{/GMBKl4SGH0jtlf:7Xxpfblpjjerj5lCkFqyDPQK7,umblNQ8iunuVYNslBOZ[b,41goC5f0t00wEexrQPvQ131LAoqxz7P69lM:Uc8l7Mbx/ish9trkdqAQ5bOzbhsRWgBEEbkP5dXUjDgliFE5TezjqoL,Fsy0542LD2h8tBZfp0rcfwZWL7jtolDzzxpLH{cWmeyvB9zR1fod3Tp09ytWv1sU9pSQan6jdWYS5UaQd0txVhPNqKEOoxnBNRSwN8+3GPdEJ,T6Td8:alZ{zVc,ZrQ6Z4bJT8bFoWpyOwXhQOzcKPnr4[rVGo1IQQHhvedVYnOjJhElDPWp5QPHOfunzm9zFgc9fVeI5uL{bMUv1wXRUZsp3,BPtwnEdWp,GIn6Muurzss[fW4MMngUiY4vehKX8UJIyvcikRix72dKm1s1YeQ3Sz8SHkdyVOS,A8CSj0wuLb+Bw6KDfGj:jSGpGVmqUIjj1[AS7iCIF0cGObPV01MqKZPoId+QiRo[gzShwMdYlTvb6j0,NrCg8KE:k[XyQ,tKRovnQniI4pE:lu1PCOYLMMxMM8atUFf8HSgYP7AxD7ZEZpLEa8kCRPnXsTh172It2m/oVYfchXFDaYU{QsQvMEnQyuJwP6m,qoGqtpZ8oL+zfnygjueMygE9CuhtW8wUWWriQvRlh1DBLnYYGQDHPyyOPINUe,Ay6mSesoj19MEFnLFCRxFEFQvHgNFGznqbA{uEpxVRoBekvbDYthDS4{SBzy93GslzX6AXw:8WtYvWB5/6StmNer1ut:eVYbVBaJzo6:b,W1by9oamMOPnnbFUjLOHc7POqCmrVfqkt6LpeOMSmKOLrcaj5D+GCdCg5ub938sBFRA4bwv6qhWuRc63hMG[h:jcnM5eO6JYmPQYcvrZrDD4Zj4whRG55z8IdMaTWtlXO7b4lWcj2MbNIddbWwmdfwKDUrXoaFP,eoeHBsSSGcSbhxsHA9SGY:YLg1c2cvT3WRjgbZ2TCioiiwlwGClUGV/lpDeUFLVwBRyRqwWI75HEE9YBQY6yLF8qR2FnDIHVWCCBdGArelV3JZ1N22ivhim3CxnsZLw23PrvGR/6OXCOl1pThrph/pnBsucuJ7bJp[7VulUyZZ+HYzyxZQN[S5XOiXG[c3l9qXHu7oY3BDnP2VQnxM9NCNnLfvNqXT8LBIKRwBHWNmKSj5hXdWa{9KwLKm2H/5eLP:4dI45qt[qGeyfMdzXRnh5MMqZ0TVbKlPtF9SkI1:Dk6QoDbp7K3jErgPgNYr5Cw3JM6vIsQBNcrQi51lIOUgUc0HDuNw5hcKFTzYi7d9evV3V6iwWIIJjNhTOL26YZCv8Pmx6WZRFjXioFReQuR{srffpWyUh8YUTg9,ME2gWmmW6x7qTqj36xHQ+e8W22SxWiDw6RC[1WY8oDUKB5oSPdiVift,a31Nsc0LMxo2WDYuRVXmdYS{RwW6yV/WSzI7hs7OQS+mV8tKr1xQEB7cOtC47pB9PCr62,u4tUoXfSwPC95W1YCcZV+cgzwZjgU7KzN0CFNTSnoeHLmfEMscgODqqj4q5pUdtybjk53m7xPFtkx[8:aN9zZwDEv86INWXtk:unexYkhf+YRDWyl1Wn8HkNzbA49vAQ75sSAVRn3G9Siq235Ivq9QKnwSzE4tIKC6TS+VIeEnvvhyj4ogt2QFyM/:kj97vS42wvGREbDrnYEsQINu1[PD9tvogR3jZ:yeOKwqe9S8BCaDXQYImK/,oRXZxs5h/zh[LYrNaWgZ4S6F9IZUs56EahP9xlf{02ee8K9bJ5YvjpKnICsMn4S2EkUz4bkHGdLBVHQtUUhR5s32Y9tQpMkXIs1yfbY5Xk+BPfmwh6pRiIVDaPb96xmV0fm{trvWT2tlJHdrbXr[4,HZK0GfwV8mdFqyTEAJtBJXsziVRTO8hI+6vpLhXEx:mOP8u0VcUv4QngAWHJnMfHS4AyvtHuhDRjMkMBymhHfb3XK7L4gn516nw[mr2:x7T:CopJRpFsHoHWA4Du81sOgIRp5wXNerpPHj59d4lhaHUyStc8oLiYnha:J[", "AT$({", "DdeQueryNextServer", "GetUserDefaultUILanguage", "l&#l&#l&#l&#l&#l&#l&#", "l&#l&#l&#i", "4@4M4d4j4", "wel,;", "7 878D8U8o8", "Sum97659aa52birkheadleadhebe", "USER32.IsIconic", ";#;);/;5;:;[;m;y;~;", "SetCurrentDirectoryW", "SHLWAPI.SHLockShared", "x3SG2r5QpEKqIrNC1e2tmbtzu3eqZEekEeNU1rKIPvpdYcbyOM9IJOwKVUVMbAW35RbRtBDAWy{CvwL9ZgBtqDX825B5hP3RuBMD7ig0J2wAEuWS266EvgxV{MO3zfIVVujjqC2IwWK1qtTeLqHW77l4s2X08BNtfLGfsOccl9jppTCWj440qjCSJ/Si8j4MxrGZ7Eu7RhlDmGJPmx0HsaJc0iwDyUKcO944Pewefu0l14x8M9MrXIEGJxmwLImlqbMV[1gXMrIxk/L/O1eTUe1v[TLNQ1VQoEIEeZGTWh4AyxBwctxdl7sFHaLut9H4V8b6t/CpwHWt1EwdIA,c8+LVb9tx0vvoz1uFRgxPcwYUHlttWgxD9ZGHSMb/byYKi1eG6Ux7diTHpf8OLdIF6BvK23qsIoQ7UD,70NuIvA6vkGI5,qEr9VVfzGGyRC6bRS{6C2[OFrcFrBQc{TcQV/KJTT509lvYz15sHu9G4rX0fvcbfdJjOLETRRO1I70U{NzxTw4XtpupTPxOg9bAidywxT7n4CWfyHGzjslARGqD8m5DBpoXuHtnLVjr5pP/u0wdwYfNoq[hINh+Rq98NNEsLwOzcezZvjN6:qLx8K0FpXOvUg9i5ooimk4I6f56b8XE1xbTuAyPTpPD87DTDwvor6RsLi5leUT5UKhzYzM7pLNmVJrRgtTj06VWyKQcs81njW4XLRVBqKwWy92XeYYK3GiTHdqQ08ihsR:Vi0e0FoUnhikXiPCtxohzwRmbXj,N7IGOLHRmf8lBn6GiprO6dXqo24rA98[NFSSbB6Wp4qEtvVtERI4hSw[6yb9jCBXzp/96:MTtPVGOZcHnnGCGNDy7u3TPlFxKZl3Go8B09cnFXJGrJXoJJ8KdZV,159bdVJFPMgLR7I6E{EJC2/51La1rv8BmWS{zFmmht2G3dv{N9iuhgM6INyJTf7N3jsMOz2:4eK:ZyVylQXOBQD,1re8jzMn3dzeVYdoFK0T9rcurutvgedif8eTUOaHrH+Bh47DDJmcP4BvhvKBIHgSk,o3J[5pAy1f8hh600b{iCuD599iLGLe/M7D9OR2XwSHs,nGDHFo4BJIHv2x9YuGYu5DlrQvzBCFv0eJgpcgGXfDL5z5SwtUtVlwTgwgp4I3dkU,k,+NAgoID0XhFnxZlpTHSFSMAr2TJ6lCegJFCLb1nqF5AzOMY{BhuN8LkxBxA3K6VihJI1bMEmeQgJNIC4ZnTuUIZnPv1WaeJHx8jYtW3vFC1{hKUHCKnCevodMcdxLlP5J9ELSJb8krUChi6JnjY4TEl4MouqqVnsYyyztprQ/uoRao7:uMeJeOw53,F,NOGLYSc{0JJQR2Lv1wnxDwn56V6kzPlMq6nHeyO5xTSBRZjtFdVgQhsW9HrgBheoDmu2hJh27wnlD6I8RMk4CR/by76KQHwdeYqgmyelIjf6/fhHFSdd/tYWtzUc9zV2N6qid460OWkqgX0oK3IxRKsLPsCZ6,RdEkQpzo1jq4RZyIYBg7I2m{ASsNSGkg6XlU64BLmL2xdqRcE06JWWZ0xw71NiYz+1SwBV0LHg1ZQ{tHTmq0Ox6lGhNEYVyj4p7mC,juiMPK8[9OFJa4XKVWyfH,DyTyxsviSLld7myFwFJ2wmMN+z95Zzyo1T1mnnV85:6NqgJsZNeCizUu8OmnAi3n6x9LAFNzvuNVlMOh+bACov/oyMefzuUE4bRJ0rwoCWh:H0wICw1GcUF6F,0b/C434:NV/rLjY7n:k41Dof/zcPMdW4R4RBv5+ZvZSZAqHcs[CqYDiiyX12u[+xdtBVHBdO6WX91UVso,p48X844,eiFRzgwyDIQUW8UxByXWT7nIVucsZEi[EKFqOTvWcP7OPIE[yPLfN:DUXOusUv3Q+{5dfBPgSXS[0sVoD{0oXQqy8MHob4SsluLuwVmb/xBjpu3V+[EOCGXeTT9FVlWFW{1wdp8u55ubyVLkCFR:AnfT3hhZd1R3FPlPS43S7pnX1V/fGHISY[icA3bUsCJfbVb749RtjnFzgh3:rxYnpsn3uip7zFOR7tv6bnBsSF4ljfFwHVN2WIAWbmgTOouHeXarnm4qGU3ffIFounBQ5ci[h,kvqNiwPyCHxppOiU3xrJkzGuDzU29e0k2tK4v,8WBmJ0V:qyJJ0MXWv{pEtzBkMcEno3/Y74f{qEFfQw2pJJybhPzS3GN1ft0GwV8y6:a:CkrudTUy78a{J37doGjMnupz7hjEowTOuHaDcLmH0{V{cMbmnksTMxotp6wgcwcxnLHnW7OBod2RWbX3fyrsNH9MLwcRHWFbCtuKvg8bFF2gp4clEMOIKoF,S{/dssJRXFkiTBjQH5EeH7QdmbObhL31uRvthKRIJI1UxR5guexqerB3KMLv30fccH9c1:CsfJhYfimqqOhPZdocG,8[f6pOM:FvWCQcFwzpJTwyIleRYkvScIc865T7SKzD96dGnEh4xFiBUos6QgeTPkzBAFm6fZxq/,BLjDoCANWGYmlnYEiD6VbefgGl3FjWPVnm6qv0CQ1InIeL/L1Xgzx5fr5[AwYTzM0na4hw2UEVrmHETgQI6g7kLxB,xUeM6{6kqE7JzFBuTDmDV02uD8U1aNGnE[7H3XBrow4WHv4VBOBMWy+d8[rYG1JXST1G73Bhz8ICjNXPUXh6X1ocR:8CfZlRWLOUMuPUko9SohT,tisEENbOXRdrpODJPuW1D0cZnDlpDOYTkJorbzl9W7Ez0uC3yoAW27a6Bqh2Zo/kgVpefBvQ1UfPBlf0jkDmjL6U55Q{h3ytqXYu7Zb1fkNSOHAuJ1hsnvFk4WsYfgfSxe1MC8EjdYds1qGRHbvHMGN,V4orsg2oniqNOc6ULxy94QOTbWju47NCYnih4:O:CFIscX+tgkXyprsh4D3,/n6GCRkHMf3L4rUP8PiFYeDNh:NlzRBqcTtVJXmirDoQHZGFLT3eYK4UWPBuXSMjbLMFyNBNT[/OffVNMLi4wqaPFhJTf{Dw1hsrVbYrBwZwndzy8RdVqxWh39u5FMCQfO6V8nXJsqPWzMTD4f/iyQOkz[yzZfLN3xdg2sgxIhAhooWBDcP4fcw5pOx1o8Sg0TFVlsa5qFT3oLyNZlcXjzmxJb4DW,BTCiyR44lHPeZqzvP0BvP36hqpQ57mLkwqKTAv4KJGyXuHdcVLTwxxvlH2m{QW/yKFI0OkZPnoHwrhNVIX3hPB1I9E/ZANhcIC2EU2LDlvX4xmqsDUjZv,X[L5ieghQ2v9YsKXIB/cp4vIz[GoeHK[JghoFHIbBxjvP0lR+7WOzmqbWOhiJtz2fgLSy9vBfX5jLf0g3CufexuETgB4yF+PTYD4CrUUmxUf1dnTMO+bTKKZI0toB09f3HqPKEdiq4yGYPdgqlrO4ThnKcbKJzQT7DRGl[j5xwBwy1pxpcqekrcvt:nH5EuMMl38hdS{xIBkjCQLVEBX3QzRZ1viLjNdTEiM3I0NiCnKxU57TTt88NKpriE8QuQVZ5IX/Y5UBzs,U[6hIzTus8Kme:DMY3CqEGb9msjiYYXo5bGQYr83Tquz1,6O+hnRbMBTfEDR1lfNkH1,BwATJjr9RwWo3OKdHQk0QRMtHZ1dvjwb2DM2Hq/1QMlT6:Bjg8yGc{7m8oBdIlajHQEMYo1HpOX2StmYIMWrn2BuwXWCmyxxGouGLIbvvKd76kyzX5obZFkKqbPjYxx8B0iz4:hyQUBLW:rlsqGkYdWeZ6EMNPzu/IoYWF8[YIhSJ9S,cH+Db[PoR,cMI4JNdjJ:U1n[Dy18/upm9gQ{q{2k1FJZDISwfLjkPFnhi4oxixZTH:usgqIMc:CBY2tt4tRbl9UDw4ZSAkH:B0Won{Z9Z4i8c8vQD820IlG6cw+fu4vYcS1hm5iLDTtXMjUIBD/rn:aHexN9p9clA[zhEX1M3e8ZZ3iWKnXH/:iUsUXZQ0yD8c0b/Micm[NeKPKk5PL14VKkPTnk3X1Yn7uy4I/jYBuO2klzGIakPjb,B9GTlw2{7S7Y6T2mrefYztvQdZs[MxAlI7No6l99OHIFSN8:xWV93stpastrKsuysk9RhOa,gDztfs/H6g+4Ng4xnCXsSg8fRUqQKIrgYq/rcnoqrN4yksiOHsx0kte2eThYeNk8vxOXj2jnYdkXKqmq0W3CtlBfUKhw787XypJ[PeQjS:Ov07rEneQlpd8OxltIzL9:iUkMvZ0lbF87x7r[G5ooxx056:YtmLPU3M5C5FEkiW5maPQQKYdEUQ+WoBKJRxcq6c2paMvZ7f0:j:scxeD:XFj1oEKjj{OrX4u[OQd5V00FGIKXMGGGMBrnw8iH5TtYsNKKK46TE9d758+cbMJO4CWxHB1[xb9PtdGVy2xS5psqp{qU+5Cz+bKCb8iR0nZ3e3FsFxY4FOdn1:nouXWtKYCxPXb8vIMdl:55kGg2sdN2R4+rnxlvI8dC+vET5US26,u8F5gCeE4kn6Q4PDTxAPgyRskOF1ptaYoiTOu{gm/ML5bOTq5zcE4k4tacjGUpo0agKowZ7FtgcqfUdBDBA[q49xupK716TBxho9KoGZVdwili7pbUYDAEW49Ut4fFc1XNjmw4Vdp2bzF7tdR2EBkwlOY:tvDSQo+{NVrCyc5mUMVGnbHHhhsSsBtLaKmxAgUYVTYrCSzUIr7Wx2COylsT27GoYfnVd8ldlDZFiL0sh6LlpvK7SqEEO7R7QzFqtEVcvn6YePjcIGQ2C1iUKEph7h6YKS7RoUIBfuzluVJTHZ75R6xCDzc4FUnQTprNH6+KXRekGub6uzKL9D9s0tkG1P5tlJhT4{6OWzxWxhzKBDWEYJLcpY/9sLqYvVU4lFFnzfmgYb8tqYbg3NM{gfQlncMTRsaIzESTqXXHg[Jm0fs:mSdJ8,lJ1QJ8WEzg2hpklvAJE7OG7t+KioJ{KcqiKtt{/2IXlxJz9hMFsGK0rf/wpCC[g{TntsNjiVqyyjCuQTvFG9XUKvq7kd/D9zEtid8qe8GLXz6:KwnMR6Hpkim40Oe9hLWxfK55jz6YjDfT5gVGiDu0Kv8Jmd2nW,x8+2wuFXHKYvvHTQbhgbOoEFR4Zsx4Cyj[TW0ZjSqunMpe1tjXfP2BUZzrvllWVhruNFqx2VM,8r6u+I5PMRID3gdET[j1Y824ZlDKK{FU5KhI3ntOIGOos8jDWiaToIEiMee9+:ez+mMKqgI2C:qFY1iBslVeINnS39hNB5d504M:VRAcP{0mqipXBTEm9SV2TKKL4GZIVXKO8SDfUbj[kGL2bslix41P6q/WR9i{MB99XPnvaMlP4LjSXUvw94yBWuo3H{q,6Kg6Xiv2fMSUGrTUxbYjbOgBfPi6kWfwiwfciSxnh0lMZ8dV4pq4A{RQkO3mngkt61zlq1/KnIePfzokixC8XOKySGLw46K76z5qVbKlknNcIzhqsSdpM5r:EqNVnvVdnCORQrsZsMnY6IgPMlQwPHely2HuMeu2skKBRcaUtLs:1BH9Dg8T48AdH1nWdyFmdhD{c6eoPLcNkpeQVS1eyY9OeJ9Wakl1jVzF7R076izsqhcERRdoAVYBZ0l7S7tlvGM:WZmEGMXKQVv310GogMcEhUw0c,Bq5x05WpL9YpHLDe0{qZvSYCE1a6a0pxolqYSiekT[Iz5Yn20XGmDkmkUwUCW7lT9nkqfzic3ghm25YQBjktpqf4aGCVocr[nhYuAiRGOEtjFj0Cu9QzwMlFCGjTMKl8n52Go4gX9oeo3GSch3LPtR5r0Op4ghiccb2fQqKOe2liEUJ2wCqelsKfBrhbVCzfv5GY6sJJoNzR4VW1GFunmLGyZG+PYjpiOR+2jLP1Tig0LFIlwwT{x4SVgbSPKfv3WOD7dzF7His9ze9jwlfkr3FXQ,1f7DIdybM9WVf,yQgY/phlPQX5SiiGRY2n+cn2JiI1XLQPzlQg9jyjY{WEMtydZriEgjf71s88exwemZNZhxvR7MGCYsRFJBhrkghIDXhh+vA9iBRs0r6eBzpF8:vF4PCo3pAcYPDImwUjtvLisGS:fqh8d9IfFgL:M:fbzLWv6pA3w5yeMVyeLWH8rhh1UCsG5UqvmT/MWhyYZ5Y7s2bQ+CxrieQPc{kr5:Hmjl41pwxrlzTEovwXFO45Ku2[g9fx30/eGzjFp:iQgBg0TcKjOUxmyUrF19WVV4Th+vVJ+QeBA:v4Wh7[SIwow10XVFNmqhpZZo9lc4jsr6Fy/TIcVue0u,I7pMn,8KbbjtmK4[nlAIn3uGGjz4dmnw3XFt5LgJeg11RIEUL3Pv4JOWlctxAnCPR8m2afcFyKhhL:Wv8KS1MkwdFdK3dUZlKdxBgC4pI:j:a3vhr04jGEgivPz09l8v5cwgm:m30ZUzgdI1rcx[o{yDpvRORpk5wfWVwGSg/r712OdzsJedWQ7Zzu5wpJ0bKlY837NyvizXWQhFgqWEC6nVMsolC0SUkpK,T4r7QXqBzjsBHg7la3YtxBKss5tEeYODSoadJvmowKGELCaRu5ZV7,rCGncOUzhkLo4D4b7tgZYcjhEex7hbxq0iSuUhm:a{ZWbj700hgPGIoYATEGLo8ZcesGHigCTIdtZjJeO[nEuRGo/bY,ZD3ocSNrPw8MgP3gk3wZIqlLl1GKUenpteGcAxl3eQqv0PBvmmV6S83ntL/K0XMCH3", "7#757F7K7W7n7}7", "2SI9wQx1xfY2UrIWzJvTemNChJFpDGszD4L0Jl5RsuAcu3sHEOmeT4SGmBjiUqZzILhpceO1kDww5t+OKihbeSLLhzHbs1GHD986C,ReMmsJJIjf3ncTnt9bXPo,vmE{gPDz2REZsyx27Xs:+M+U5FghKEjHDP/NTUBz14o3SlI4VZL:r1t5MWh58v0iwpHrS8NktSTOJjheWXhQpd97E4bHtHUN2Ko3CU6olYm,6OEUPQx3UOJ9Km9VMd/pjFGqX651VHgLI3G7tibD7qf1T867qcY,4GH42WjVMS2Js,7Iao/lpMHuuliXcD8iOvBSVo2G61PzxO8JyOe0bFyX4OfzjeIK+c15dF4S/KpeWtTnu3kmApRpn{xDMS/SO66P6YphFLRpZfKyBghoL4w304IGR7o0NnKOWUTd78bUuLBKLG3bhnH:VchJCnmDieI5SJ81JhWImlyVjECF+uJLQYutOEj6Hv2RGxEeIKVf2hACQ:En8w6iHVW7mY7uN7edc8wMMH68hZiEnIaZfgKMz6p{Z3j9byPNSF2:ckyt2R2[Fu5bIBV:EtYvuef7RTxbBKBmwFQu2[B2L4ApZfg:bO+b3nfz63EN27cL1Z/kp9RzICFPuewWCCactEYWmJ97+pe[St5[OZw3tJ+VTksIcPlQD,LJjnJySQY6RMuIKVG3277Lsh9xQxKhq6L0QiOnJLzZO3sRwuUkYirCaSAweKA1ENtVpRMwkp+PmuUr4Br:xTe4cYVwJeqwIYhXn4yoweCHYkkLxtjPgOFEccuoiLNrKU2r8Wtn7g11cL76fMplBNTYIkY4ErusYuVMNgrYmqEYRHQnir/BlnyjyUTqzmG:5XNVOLSHMcqwKrn3FKSTw7ruKOHI/Xa1xqemzIY2LeB8axmVI6Y53idUbnEHLg1eyBqSy5bRfytbx{rLvdPwP5DRwGchuwMxhiaoelOWRDaKqGcLWfLiWLiK8EwnxmdeCIs0Kt37JuqtZcAyy5BdmIeldQiVJ1U4nGjkWI732YhILx+ltlLSqzE1zHEiwujR9cPf5klPgvapJ:wrctb0LNsRr8iIPZx:e1g77XvGI6B6MCM7IRhrKrxrz[0oiw2u2gX3KokGwP+7GlVr9naKTM/bIHXvoxZRm9s0n0L4PMGsJQk1Nhd9cX55em2WOQkVBFQd+k6owJxicp56Mtq5/ZrEJzqzwbZKjt5{iKIDNfmyLUVbAmwLqll3t8BxIKVlfBF[50L,+xr6T8u1KfDRtuPEjTovIBC14{5iDRXbNDDjj4eW6cBB6LGymJhLebo{WvxKS[13eSK5WV/KejMj18yXyB0LeeqIVDfKl1qo7U3Ufw/7IdK5L0gttx6guxAbI5b30y7TaXNLTykB0t/:bcg:p96C2Yp:mLdDy5rHDTJ,EznMwnLeN,q[J{UltqUtcwioFQ/bHBw:HHRU4czQt5scfjqdgt7uODxpG1FRw0w4A0IFJkfiwz0{U9kWVjFYn5PfDhduKYzM5[7SEb07LBzoU[2:xjmuTSostworQ:FH8fhdLCcrfZ4PhjcG7cVnUt9EQZQKo[yL4XP2ftM0+xaFRt5NxXX5oGaixiSov1nPLCy0S[h4A,HpnOU5nYzWK1u4pdwgIMt5Tr0xHRIC+crjjk7Qd4oYbt7WlSd[zRjI0FBQyNk9/0QFRFmp5diGScc1a3Rcw45IU1PtUPxjNGFHLPqDVEZE2vWZpzhmO5vQ4BaD982xzz5SbkskB1g1hh8KY8TCAd8wEXJ[6BnDsCaUysxoQnfsNyHX18uIPK9SkhGuep/GxGnk2NU8kd8lkKErEIQC7[N[o,f2ln9gNi3xIYmhSHMwOkh8KRcU7EP2FzRMY:PR2yuXZYrsyvn0hjvhG:Qnd,leLE8lAjUo71QLCKGewPrR305ofYj1BgdwkzeEeNzz8QIEs6s0qGMuHUnuaSpm7:FzI3p:/Uf5gZ5Xy0DgotvE6,Y{tPMjuCn0QEXGej5Jm7IvJNV3BwOyddOhr4njUZNkx0ousMLRIltd10jVorlbp6wVHKH70zyoygrR4TBsabzWRg1:dH9cG:9etDJFRHLU08kr9X9bgZ+hUYW7VXC8UsOYIK8:Ts3hTBckeh3sL8h2H4Xz/3fQrweU5zjkFRtFDRu8mJ6tzz+nytbUGK/,CCltJfJioEQzPYslNLVoxk/Fnc0L5hUvB:wdKdByZ5Lg64n5/Zbi7lWY8vTDV[1tvZYHSzx[LW7xf2q5tY7W64rgAQ6WJr3[xEqSiCP8Ofn5eC3OL8kf4rl9gxUJrSO9IbJx+yVNqkAsKN5[wXlqv[TFAkJHv9Hmyi4XAReG1fbWq{Fc1Vt0y1H4c2OCV0c7jxR4H6YEqZNSUwqgq92YtDKm6wyHe1nDRg9rx:Y[0HgXGRq4vJQ[uOAxFbRuJPdbBUUMW86VDCmuUTrQBDUBf8xoJOY1dqxKuffKxQi6z{sVlFlRr9HwEZW7MHBz5v1TD{b{XfbpnHntVvcjgJ8wuqhioQkg0fOW193gAtul+f8hi5SjfvH6b3ntaRmExtOfgZb7rGeXHeHLlj5y18oVCvVPbeHIBC6zOm6I16T4tk5OqRIS+rwH0f6RdSyYnsM,QEdH1{oZ3g0TIRYJ8CFVP:UiJql{nLikuwmID4p7cRSpZ:P8XyssWSx7sNcPjYJ1UrvEcWJE/3Q[1DnRpmvQJFUFCoNfTGS2m{SXmxk5rSWfUdwe+su9x2iJJi1CEqVNjlsq8ZiBY0m1Eym77ROvyTbyzmrmMfuHvk+h6jteBjX0szD6SRT2ZJ7CrOUVKfF4hkqrLv9JIbdE9xPyvtjuj7gPZeN[duV[g4kjci1h+tGn1tFyecKjRWj7pO3yaS7WKPSRxBf0gJHbReYOgjtRxyhJ+EkQRc3zyoWJa7Tu3ygZvPS9LGp{aHRbz2SKrIFDunGPjRsHqHtXUFFOyho4zJduVR2WrFmyjf3jJyRuAWCCnyi6xhuQ6TW664zbW5ni1B3laT2pvFUsmzkNW[gIQnCLmBF1n7+6H1j0rDD8JItHMZ+JoXiTYd9u3XxwkIZ3hCMe1bTcE,ddW2LCgw1MIiHedVAS75xZm1ZK9mPjHfX0/0EDFc8zdSL4jJyP8JF:nvxExWJFm1kYRzoCGqjpnXdiXrww/mw6nJH4fc2ff:aPgU2KAs3kQ2bwIEN9mNuJ4FLKvJu0YhXvueoLcMQ1HcTGY898nJU[8o8xil4GawK5Aq9{ZeBLmtM1fLCib:klINBLJs2ko1bUgl6wMKfWT9qUrnjRB7IRCCSg2O3wB4+8WpKi1xs0rwUNU4Z7Vy8DytQfJWWnamS9kcbbLgBfuZWiVH9ZGOvT3PQE7Vb3nZJlwmdwWubJmwrRb95nv3rhIDJ8Qwy0CF+oXGZbYKtnje06nzM9eC70gk6,iNsGx6sFw:65+m5MaDWcU6W796mW4DoYwPwLGL089GaKvlZJ6dzDf6wDb[XRJpM1p9eFFen1pBqfYOOcSmeXBVpM4YeEvUfYjJCQK1j:CIwfncXbyhcstWTKbrrPVr/dnM35KYURz[JVnzD34GhhW30n1wkbj4LTC2gQ1bfpcQfeNnICMyFERitWLwUHGL1jRcF3QGrSuXdERFIDSmibvruUMShyJ94EHD86cKEIG1boYeZ5MIjMmQTuqXlPVPfxUQQnU3wMVJV{txYCfYXbO94VmL3y7qGKS0EU65mNNHGU86v1ripY3vWsZodUNHOR+pVmu4y{Gg7X1RJ3FUzrfwvE1vSL10Px77C,+Vf[mrDuuuhSjha5GFskP:JPrsxIJIFBPgWKnjPoYpEqZkSfJ3nmVJIgOw4uFyr4OEH[Dct1d4AvY6D5Ee6ZeFdt1PWQ3NofwdI7LTHivtP36kfN4,WYyGlYfVuZCShnG8P{rUENuGNYH:RHXSeGUXFOIGhlb0As3msiyNJlzLMoKe+b9N7H43m8sHw[sCPtYyZ4eQl{ZBMblNnwRCopGr2SjDyRsNoeQhEHkYS1rlT,TP92FdwjD[OmRxixGwLTy0RmbgcCPjE,SQnCMyTERk7EJ7osnTJ90z2OL36eJ:et774I0uR5S5XKJJlbitxbIQdgfmt2Y7f0LV0SfL/HWpmYfoIu4XPIRgC8MXpE8ZhpsyGRCNjC7yimTcgdZnvLxsYYMJhZv6Ug8zGv36HhqlV2ELXKweebF2mGCtJzM1XT7RJS82/WPqHFXcuB8KFGW:QiIf+:M01sLDyC/8msqLAP32lMIzbTHh3LXw3QmbdzxZmotxhLwWdI/VUVqCRmRdKf6xC4MFGfYNuv0ZUg9C2oeKbygSjmKiEP47dtg5lf2miOF5yK1vBkCEBcTcEYq:wZ7B6qcmh[LsXghJDWuJj:9qbQw8CMBLaPiHf78ZAjCwVeW3R{Z,oBCDQV1FWwVxBTjclTRbht+LnoCyGyAJ1vn0Tx1jYR8g3dw{XQTw75i2cLGQnUj{38RpYwBTdi9ichzMmeiDi0FxqC540PuGL,hyGELsEpfttjdke3gdL3SUvkWucZAPVIl6WxOnN4s16cKsVQnUsEPjl[HHuT9Yu,qO+zYzs1bqk4qjGg35AlQsKVZF/evS+Dhltyly/Ikiv:ZydeafWHv8PVKLorUol7WYfrhfhv5xwk0S7qFkmnB4ZSF76JeZ5dztEEb3RJnkYpwRTb9hgu2bUQbsSKl8x5VJzUHUxFP92LQtaUcz9d/9PLaFXcnoSLQRH2b1JXaryQ30LZW81jSDfw9kW7AhGqapdxxcdbpsTgVb5sKPmp91x{acYzFIw8VR513vcO7zAZQg/GVxBnYtZhxb0nbwULOZYmm:LmkzcxhlNKI68cL9LMONACOlKWZOP3COuzaqj09TmtIQlGW2bqjVgJuDeC82NBPPkOg7+JQBz3t8Yso3SuLSHL4:Y9KgOEZtAHpNPX4CH1vZzmwnRZH[eO6o9s8byIpfgFn9zQzGZZ50hy6[B4qI2tamaquPxLlKUZrEwY7LeKvo5EZNjs+bkyjwJh8ThB3vX1JKBf+j+VlhqT+uilgnN[xCtbErz5xUTeZtcbE2pDK76umnrGuiXoRFmbNOnjzTHVfbjUjv9hwe3sG5wK1Gv1S0PtCJqKvIHlvdJZum2LbeUMqmrqFyNXlPUDUWQtO8cW/TSOW[l6BFjLX51dLtzMpBpCpL8PS5XDhXKdltBBdTK4Ttx944gZvqJ7X6gxN6gTCijB5{4,bF1WsNsiAe+qFBPUS{ZRguBvwxGdU9sMZSrY7FpWNkZK9udol9uxqmRlIW6xsW4fNTlriH33SuDx1:0htS3YEDlWOfUqf3SgNeZqnEc{M2/gvQJxU,tETCwEDSvkXhMyQQqjth4SO:x{oQ/GUCH{YqaX0m/nhhhniJ4vHntJe2QXE{sFedRWBB4byvVn8uM8pFuifoK2gJGHYm3Nuz+KcGaIiJ/tOJwrzkpDys7yElwZPp7,Fus4MQ+TlpeIHjrDL{6gtT5WDc7IEcklIToHwL7R76/qUUlpoSEDKoVkjPsGdskwxbIwEc1hDLi5BT258JAOgpeLBMAe9XuOZYCs28MDZJ68mvMBGXts3ySQv29IeTYLFrjTvlA5bMPzpzoOeGeRqErwiXaoJ61LbovMsRehTuL3KciNKsf8fDiUUofXx,uyYWdqXRlWVLW09JlYs:ykjDtGQbptNF2pLtE{fBRfEVXYWfr,p:Jg+9T4T1Azy:IUcWFxy6wrz,UUr:WpAzyq08TqDzPGQD9pQgKluqYcOWN3en0Mp5gOwgEMy2H8jRl2A2bF575eLNqVt9DLsLusjqLoDiGhfbG4Nd7xdgXbtdjOZlp4ovHrLBmiKy3ZCI0Qz38uYv3CvV2lSqzKaVrbPGYQddX[ISmt56z{ydmmtRuiGdw{tLl[HhyZLZ/fnokEWsmwMosKn2Vc/FKRHOE7v[2gf3KUL5EsOjhMKel:DRExK4oZfjbbYL/u/lA25tgqzqkx9e/3bWj30kn2fHEmv{RXKK/DMwIExWKrHT2nFgED1ygtkhobxFbLPM0Y8pRFFXATT7VO36VTArfdU1WOKXxKeGRMUwzmqchWDJ1vSQcD1hJicgdRFWzPjdZbRzmQ0eJ[rowTBDs,mC/9m6gfzjJlSoQws1ptwfunVYq{VmPZHCRmSMWbM6dfx1gkHv+f2zxrCdxMLKf1a:zfTPtvTIjeCiDGEgL,/PQLqkXYd[hggl4kGYlUEh4Mv6u3+quWweTwXSR4XsRiof5HMIL4U65eaq8gwRgMXPSlpkN{1m27Zz6zwXRjGycJFCl7aIVD1qQ6ikuqL6y69VbiXcLKQnh2wL5EPQ4GaWh8JV0QZnpz4FgFzdJoUhQ3oP78FnA89bX0nCt6p46IeWLr7pP7RGMoj954Vdt0iOOJ/:iEV[v6HOYcmOfnxB3FPOf2vMr7E:6BsMgNIywcSs3Z05gpI87boBAXwys{M2+RnSRGHVNY8N9MKOxX81xy7,uS21PU9CKvHCOncV2svVY7l,M6tH0kZNqv6B71CTGZUL5B06VUsKb8y97yFed8wnf[yT7VkQQdAlTGkdAW+G5lqY0ItRIUz{oe5qxs+wGxNq/BObVkeUA6z{oXB4MpKc6jy[VutH5xDXDX7pLsGhgEeuMZ/6stKYJSp[KZt4hUEMr5ludR+yR{GCxsJqk1ACs1751KeFO6bPFOZ6+22f5DKQ50fPQmdnq", "?#?+?0?J?O?[?}?", "SHLWAPI.PathIsDirectoryA", "glWP15xcm6:d6zsRUahNiBqz6EvG0R,m3w1wvEQOdqNfKkz56cJwtRxjngq1H/kxZ3G4N3n/bdgDEjPucBCDWQ9t7nXxJ7JRu3{yUS3TQ55G744iSKCF2WRKk50E3/XAzUJUmZ9YxpKg[JNWdRwhvRT2mx6vFbL+RmxYZv:nhB6r6px0odw766rPIubE1jL3l7UzTBL4iWQy[x1eFrN3QvgqBzVXstZu7pRcRRgvMTuGBvNw:0VpdrbQnrPZ8ByZ{LBlN+[3YyWpZXt8xB3x{MCZcWl4vP8QOsdqkep9yN[fmZnYkinriIJigdShX63H:+j18mQ2Bf8g9O2jV12CTuRWlZ5XXu29DSZErqmQdthvFxLDL8RZQsDa{BFY2/r9X/yWmUFvCtH7FrplTsVpNXtZMuqcOhm7I9QaBUQt[2u7frj/MczPbOMF{VZr5r0tLC3KX2hgeRRd[8GeJR4Z9MItIpr2PdjQh2ZU9PYuxdTKe+wqdxhbo3N85q5m6IU8jGp9SZglupcIcGL6kv[oMEfwHWSkFWYD,VYR:tuECk91Sr[Q5h8RfYsmqINO7R[ql4xpCFYj[Rsyl5eJHakZfBrBGnTvMURqQjlD2J3ir/KmvuNp,ACY0XluddlcpYW51sgpk+WcGA[NwFPnH1YVy6itI5Jnj/5HRXnUQEKz[Whfu8:scixH4c6r,jOkYQRSL/L/y2Se:Ts08IXx:f[YQXr6SdvkZKqiUWJV4ixFGxDEIV3IXCGQHptQQaDnFug9f+nr4V,DRBtb3Yh273[QVbYKWURf[2Gkmrjbwe8acIXBffFOdtG55twPDezRZeOT28pyWlHNOrPKWjVgiGPKOL1bddINT4Xvg4JsNzNlbYsrUJ5lDzHMo/i1KTGz5GvzQ02NVND8YipUQ59VD8DKHkIqgpYQ,G,pjEwMkDNiklY39+b0HW:e:AVdID8Z8D4N0e9WDgsTdxDcfqg9pXGa142dUmj8xvcxgr[V7KEzzSiWho4XniZrkG1X9tHqXYVzxPxrqcq7ppnEZxx6us5pXVJdG8Gw611ytNjwE8Y1DMy3YgjO0Kh3BHGsu7qquTDLNdiqrn3snEq2ZJCEp9y6O00brrvlpwuIPsW0LWkIyfBmez7xJmtE9Av9vU,Zew9Uk3jI58UV7G1yjJnyC3EtsGBbrbcKtw35VIPG[wrkfIGHkCH26dupHS7Oj8boDXlj76FODS8cWHYwo77Q8IVhBcDpXFbRXhjeIZ,0wM2uxmsIXTocgmNIMJ3Vi2lz[0cks7[DNDfMVpZ1WzwtZqNAqsnWo+gHiyqiyY24IRnLMCnBNDQDVBrcD5{9ZE,DQkWx5sJQojUuu6vrZWQ+PH1iqIq6LUgTnV2Nk1GITMxf:v2G4SBt9rtVvJOe49:KTqn1JSIOtN4Yxm2PgUhmOgez[LVQtrZO,f6j6miv3oqtklv1CTn+rIkHxioxXFyQ6tvev9pLYLHChoOa[1FYCBNuC6L9HJXfIS9ei1TLl4rSrlBxFvMiIEBacG{j:QWOD+qlvSt3[EfXk1jAHqy5[IWSRtfzn03umStM[eTIBluqmldvXDYOdLMli8OV7AfldsEMdoZFwrIuTTy08+61k+lEBTz6gmdPhOUsVhOOSMqLDqTtgWXA0ZyC27lEcjkqryMZ2j2letosDc0ErrNSFVwvlXLv:Wt2vGyytsGFemsyy5KJ9V0QYLvLOadMjc7QMG{Gnb5j:TiCj1:pcyx5tq2Nve[qc5m8Ek71,hu46vt13L4TpXki3JKSlXP8:g6nv+1/PeHA,weC6CfBwVRgJfpymC:SwTu5RtLl:55ap3jjk90cNK8Yve6twOIfkfegHvSKqhqgwpvdb/0+fYjxuSGwnxv9HOk2y3kibj{1udKprhnVNJ3YI2HMx7WO[GgkbkJjxM2chn7G[eHU2IzftlV5Vc4ADAXu9V:LUvO6NwQ3hFB8o+6pFB{wdebl7vjByQBBuz{x4Fk0tZ0JTq2j49bUJ+ORUIQ+iv6rio[VoaLAmP7YgPjTN2y7bSn2T2[5Q13CuCRECq1Tf45gYdZyTm:0j1B2ng[pYsFn0m[KUfKuheY+hf7p7vrv2qf/QLwYlR:f8vhQld1NwZwTnzVUeRlbg1ziN3rLw+o9[NZEJZGYwkYsK/bz[huWOeWqc4S63S1Kb5r9XbtoqHkaDYwordJqzK:tK9wEC6kNuyJdBLjeczxzmm1lzR:tI9I7OmyusNUQ0iGh2XgqwyJa4h3U,Wg7imfsNkTcKq5ymnVCHWbe8HtTWacE9xkVBWoVcRgZfyKxh4IOuzK+5m:65juDGj6sxiPKN9y1J7SY4i24tDNiDtbbiOUd8fUWBTH916:DL3gICINyEkNjn9HlbTeWKa[iGMiW3wX/[yfo84WDBVOjzwRn7eDw6zXbjsM0BY4uM4CpXjgzVt2C0p8eqOk55rS7LU{s203G0C[S4OHGZe8N1NPxRaH02aikVC2QCmko:HMfLEuP[ueODc5/[U7EdKmcnAPY11hsuoGu{ReZH/[dIJ0mgr2H5Xc41WYJ6sli{prrim21Lp2VkK2yPF2/GyX6deY+6voXOhY9GoZiQW6XtLOIObgYnKEhNoSzzUo40IHvf87uPsPTX2vZ7trczBgYqZO9otGq,eSR07B2NWLPcz1HHK[L3UXzUC0LJsO7xQhNN08xZ0G708dfVROypAZP1UzKr3hisFVxznkhM2kLZxH1[lL1SVjl8qto5aJrsA4bUHfk6h:3T+TC4zWi4ejvcLhX0oYupAf5rLXt3pxZyNbd1QOSzu0odS6yfvB3nPZ26TK6xMlcbLUTDOJ1LS3mIUggJmRfkOd10+ryqHp1x9mLztZcNPrJi5VDmxogIosnD+0oQltHXHKbLjCg{KsC7jgE{uy5YH0pojucsH0lJqqbnW7KOJdbYcDg{+3vbrzF3uk1zOjbl4G0[H4diM:Wh2GVZLyrlMyh:R[wemxOLvCoRWmMIyrXDPU6RGDJ7ukK9axprs7ZuN{dhJnkhANgfZMG4JPRvKxabIiTlvhNbFlDO/Rt3AySc5:LdAC5vG7Z2vqJfG0Dt8Hb5u4iRl973LRHKBpAmBIuor{6ii2sqEi6XdSwQgGNnr9ztTPJ76YyT6,43IozeVmR2IwbCc8j8dlk7XMw:YcG90hVDGPSLJUwvJbaREfqCzT43wMG[fLFgsSeXtFkWEJIPX:+vD7LRLS9vWE3z7Qn9CVCnoTRNuvDcloZ0pCFJSK3QenztmlEvKY52O9/EAsJtzfIjCPUej,WM5JpzOZnPwY9j/MEfozqta[RGL1wLp,/hv:+bG4dOL2pMvcr4L5JTR9UQi5lQVSP[E:2KyLrfEhJiO4sixV6sF{kQVxf4323xZPlhNief3ugFszQTcy2vhkkWvCUsxg86lM0k/LNoMsvcs9+6B3BRWbHIEfC35gRYnUi[GTlqh9wmCQcve1O{lkrLjho4qyqqmsxdPIE03Q65Rj3l+WryA9qtX,PU0PcPcbaleTQKWI8NPwNgq,hiFSNQ/sy90wJORmpu+pD1zYUfxU8IMlQ2mk7dAtXm0foIpbfHABR75{8exKfw1gUKFZw0VGI8329M39kp/EZMrcStBR8toKddzn4RbYgfZVaonBRFmD6Gyux7g{CkIRFSE0/n0Mt[8j/D69nyfVGS7qXmABEyVsz:UsdhYE7UY:g[gk4dxZtE6RqFAvkjIVJzkpOhCWiTdYkg02WY1nRSqDCd/[tn7GfF5eQhPwyqbKuUDDbGtjWUFgaMZM3q6nIfiSzH/2cINoq{G8I0irAGgD1r+2cR9TjutBoX7l7:Ob6vloh9MUVQiCONtNzjl9NzNzROMpcB5yLhkmUbKy8B+9WIkcHthsmEcQkcXEBuzWwhC4mF7LDbJl9bryiW6P9JvUzznwfKLgEMjDaJCO8XpCllcCneJp1BC5nQ/t049SxVkbSQJQhtqsUo7YYOVQNNPZx1KT+8oiCPLOUVKsH2gZEsbvPT+dw[O21PCQmu7N+qWO17YSMgfGaX5ef8NlUi5uAFS8SjCF1wvJMFZWgqfCRY2bJwRb3nhChgPUvxcgWIzjENmmYfF8VhMQYiVi9Z/NX7DBMda55Hzzo7b[0e+myFmFlEIYCK1Y8FISvBS1V4xtwZsuO[Yr6x0WWW4ly9mOe4lpb{fpvQxoc3je2mgXCXxrS,mUCEc81bdkqBPKpR82cueTi1L{DL0sBPOJ2kTOwIbx4zKufRkxtCSuj[1Bs69:/jsxmOl8TM/3FJ+BnlD3giZgCWALbUP,5sEqqS6imY37a1bZon6WO2OExgZUWk/mqDMm46tgn0lnM3TtMBIOAm3zXrdNsh06LtTJgQpOODIbJQ5rtPmthb3E8XN9kLZteISmDMG0d,GBKG+qGzOTLV1cH[hL0ZWx1WyOJFCy6eiwbIo6veAUnvWBcMZy51/E9ZZeEZ1OZVK67M8JZUgsGrgPF9ip2VE32yiNM48x9qd{w1cJq60r9e1T30d4hpmoyi3Dn8OpS28XF[wW3lPUwkYhkUb:XzDGrO2ZVepWOX4NptkigW7lncdfPnezsY8l5BMHmwq8DkI33joxJukHbNglRtBBCGEytUDWVEdODG+oa6hroWM7sYj,sd36hwHM4[Slu12vQvhJFgk0RG5TrrQBoD65+hlbbpsbaEAJrziT9F5gvOWFcQHyoUfMv[tB1V6M3FaINRQlNGDMoeo8qv0pm1NMQFcimpvs0RptCHO7mnjRE7CIsxRIyvD3SrgMX6ydpy9pVp6CocM9YxkJZYqlFiZn7JzTbpw966YjHegOyDF2w0qrR7LKB3ewt5D,elXq3XIVDHHyQSIJNlcRBoDMPR2Iuw7tqFT06vpgDjEx3WdrXVuOH0arpsvcwsG75{48ETjH6XEoFQOnSY1O8UUOBll{zoq3n,jwoLVFGsbsSHBBpuFBQZWlic1nhn3MoktDLXgw5coQ1ZeB+{uBDw5SC:yNY3Ov5ml[FXY{RRurdSWOegMPgRuqNRsWw3o9ovs99wgS5EBPZs/8W3DpJnvpbsBMEBAPUFmGu0ptdzvKcMR2U0d,OXsdA71G9Hw7EWVfgLIUySyZaD/eSMW:96vMr,K4sITn55YsZ17fHdm,+v7,gqYMzHR:FEOxXQL9cdDiq9zmSpNgAkn,9oBP5szhNwLx11cx+Phe/OyLbsx07jKyIDrF+KpS4RgkPzVCDCaiF2vEiVzPlqYwtu2:0RPzygi4HzEwf0b9TQHjtEoOXk3TgcahTZe3sCGwEOg5iVBZz3WW7wkiNIMrnH0ZuSagxOTBaU93fuzD4BD7yiAU9MT6yUdT+fdoMjVpOOlOGZZVdXPV7cfpzMrUnxewB5eYrcA1buh[TXZ52fNiCf9O+WYOQBPbvimSHNWzD1y2c1vfuJuQvwvNo51I4IW9Gw/fG9zVEgFD/on2puupPUipRNDcAgGVKkAQk1igO0lNcCgoVwBCIvWlURaxftnRCSqsEfyG4OYDLqIO6Ps7N7m960a1s3q[85o9RqD7c5biQoomEIWwaNbmWZr8sQg6DZ0IkBHhDhfy3qVCUUV24GvmyT13f:58GNpPcrbrB:5Ypqsg6hQKkqRzbcmUGZn,QPjxHW+V3O0J0m02k{9NhH2QyidGF4oJ84PwOPTVCXT5ZYef8n6T36N2hGWW183YwJ2WP17L8sAYrDsT813fCLsRsH0BT4aX/E8PAymxKdIsAsMzFTIIqrmqyLB4lCBFC06y0PzygEKu3D5iMgRNv38WcKBgA8LyS8llrCK[AVGdI4/4FE3zC[N9mGHIbQIOkEd2EOZcJLmQMDFdPVr1dD5bAWXENjuntW1Jo,7ptQSdZoGNjV6YD[1[kTG,X2ApkotqPIdnUMD7cBEWRJIIaODvtna:lTWjhrXzStpKJ6wGwFiy8IDLAqPvOYP4NPx4Gt7Yumlt23hqYEz[d4CSujssSNLzKMJ9YjpinzAxxI6b5CWPGrj[X8F0hx/Quh+vHwakiOyOcViCX7FCuYb:JvQz6kUgRRfHyBOjYRAZyjH0cHditHh0a[Qgsgs0O,qKvBFQge3:EY+,VqJFWl4IQ40VdoFeKtxNuoF00LCN8kJbPlPJoneGtmc8u:F5og/0mtJKpzkn7mOrFlE,LvM9YgbsU5O5l3sofZm5xsPzuxOMZEqeRTdV14RNLDcuCjEI8Ju3WchqTXGFYnP8VUR85bquChwQnzJiVN2nUQtDaxFkpfdn/,fLTmcWKYF8/gEP4CNUN1/9fQ8peEIV8vI[IEMpZfII13mYRQzpy2Svh94f3OOs38GZjnnCVzXdDLz5zcAzWLVWN8woujHMX6UBD1SCTfARGVayq2sb5mrESRLP0FeE5il3bqSVghtd7Bqcp9Gk7yUEBVH8tQgSgEIJdGaZ2B26U[5nsigVpr/Rz{BYtGLfKEn7lgMUBTa5cM128JywBEdrVFnWmjLdVtKecdVzJwDCyCEOP1eMNL4x389UV[sNOhVOPICrB9WgLHMjOzqXzyHCQo8UtnSq4e9HFihgIeB5ZPy06iFQJ,Vp1cn5eIFeCBqmm5ovi84S6zwQxtIL3TPS/7cHJlIi1wv9I[dIUDnDK0OcR[ue14H29MyGdqLJt51gW9hBWyd5IcgqTPmRsHqgcNkZHbVDHz8He0LgHdA5fV35bKQFshOrnUZUI0thGjUrme40o", "BullbonyaweeWaitsnugTierDriblibye", "CameValeWauler", "6,626F6T6^6z6", "PathAddExtensionW", "SoldKartAgueiliaRushWauldhal", "Ml&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#", "SEh3%", "CellrotoCrudUntohighCols", ".itext", "SHLWAPI.PathRemoveArgsW", "GetCurrentThread", "GetWindowTextLengthW", ">m?s?z?", "%l&#l&#*", "=,=4=D=J=R=g=t=", "PathQuoteSpacesA", "6&6.6A6G6T6i6n6", "OastcabskamiKartDumbInksSomsMass", "5:5B5[5p5v5", "T$D-2T", "KERNEL32.SetCurrentDirectoryW", "1B1J1P1p1", "333I3u3{3", "151;1Y1_1g1~1", ".L,\\,l,Nw", ";#;);];w;", "@.reloc", "PathIsPrefixA", "3M,AM", "1(101F1]1c1o1~1", "FociTalcileador", "KERNEL32.GetThreadPriority", "l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#", "5l&#l&#l&#", "PeckQuinFillrillsaw", "l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#", "?=?C?L?e?k?", "Dymt9Q", "Nh(mB", "= =(=R=u=z=", "202F2M2h2m2{2", "616Y6_6g6", "HoggSoonLasstwaeNapeCeilBawlscopdub", "KERNEL32.OpenSemaphoreW", "IsCharSpaceA", "l&#l&#l&#l&#", "5%5,5<5A5]5y5", "efj4xot2vZRJjEoRX3B+YvXqQEy6b+EnMWjwqYmyi30fpwN5FIHcBodWlxIBHd:MDGIIURyrGQ", "sa<`N", "RidsFineZingMickMomsdue", "SetLastErrorEx", "l&#l&#l&#l&#l&#", ":\":-:>:D:M:[:b:", "`a'3w", "WainMeekPinyWonkpooflaudsir", "8 8:8Y8^8f8", "+l&#l&#l&#", "GlobalAddAtomA", "USER32.GetUpdateRgn", "Haesourfe", "KERNEL32.dll", ")0/0E0K0U0", ">!>&>.>E>V>w>", "l&#l&#l&#l&#l&#l&#l&#l&#", "?!?N?b?l?x?", "USER32.GetMonitorInfoW", "XARKxql2kYbPlw9gch:cQA2jE3v6dg7WE3z3yCz0vSJq6w8dhWhfiRww,u5vmpLDHbjcynGRTiv", ")))3n", "Dy_HK", "Nl&#l&#", "1ul&#", "?,?8?=?K?`?n?u?", "7%7*737B7U7o7w7", "GetCapture", "X g^c", "l&#l&#l&#l&#l&#", "vS+WLO0QvIJzAifMhNhb+[ysF2PieT20ULF5NeIMm:r{8taxv78BJvhjK[mNBnfCY5ImlSLMu:LxFskhQvEJzodTihYjz5sdT6pkm6gKsutTUqeunNOy7Zs0nTWQ205PqUzqk[p1K54nM2SKIw99spKzdQCThsVki7H8E6r,HiNWu6UzFtg2fqq2FD0OpofFZ03zmz8UibGJTHXo0zfQqy0NLqI69snp3JFNQk2roF3tj6zbQhlW/FdWbBy4IBcSm71phOJ:7d2M/8qS89Moj83L4gDGxO/4N63DohxbbOMZPLlbyQVJz6jIcwh44sSBH5RYibc4qudToiatGEkeASVQu,97MK/s6VBM8Gy37jfVR5LMdesLW2I6OsIY2HG8xnsHOTtJdqJwP8Q1H7NPi,SZUjN8BxkU2oCncEuUxiFCIu2,nqQ4jzyCZzS2kqgOur2SCbwkqlQcOqPz37Kxohc{wniyBpSOcppcKHTvYiWYX6emwqITkSg0iUQ9q3vz/7hqHN429YsRz8ycATbxR7pDENyJvUpy18muH5DIZCV3oPAxJEz{qi6,8QSDLrxlj,xTU[C[HKwe9RoOARGdd2lBn,pmsGp3n7RBg1bQFzrBB01SJ0WzzHIi6JJvk1Kq3HGzQz7:7[sRufZEtR8czw8ndopfN0f1gNNvH2XMZuSqns10CLxeWHXQg3eKDyoQsszPiWP8ZIhg4Y+nwH0ZQgdz4YrfwUrSXOCVifhklQWU9Kcm8N+Uqq4vq[rqQf3[n0y8Z77bAwn4XMnmZH3sAo+5Ov8hQbf8mNa6MmD9yOP5nKq[8c3r3w1FiNjJ20BgDTpCTI3pScXsIX49kfUP+MZCy5d2VO8Irmr3dNwNFi6iW{bzV5JFXkEZpmmUob2:S0MyO6uV1C0W/hBhBMKj+JDpm7N4bCBws{LKwRw2cER7O2oE1t29DoP0+5ad0KbsAeQTWiE:JMUGeIOcaT4IFHchxGcQwCi1RhKRWbtHD5rqlK8eSORGf[gwklpsW94cDzUqBHHxwmV954c1TI/:fRpxhQw,tDALzgKM0mM{qx9njnR2g0DOIYF45mJFTNCrh5X1rCsSJ50kwL4zaGrszwjZiFFRGu1SodEDzTO4jGfyPI/CA,m21Sion9hyBBVB15zBAK1qTj6BL[2gGvTGJtsl5HB67k/pJNmHfqoBwMM9JH1NNQ6:i5xoAhjuJXnB6l6ooRw{OR9ON8WF8wWlpI06azho/6H[BSvE87+zKL2Hg,2qs1bOWzcU4cg2h49wLiXyEQebGWiX/n1Ow{ZXXRHLlV6c4[VtfL8T0ORuMEdrXtFsPkOQc{e7YTm6jmafH1qUcmT3/h/:17AhTsaspkfWsnoTzj1fuhaEIR16H0TGmU7{/Db:dQTZgdrPN8AxB0L,qgMwnkni04P7DhnBXIZPvbqmykapYttrywtOJfMEOTE7cwGedDdVgLDhYfkN2WAdlyTo+CbFm5oPyU9IGXlrrg7lh[McIrwpcghEgLtc88YRnxWfZX7E4NEd51WIfxP71yR:VZFeaCSmDJHL2buBCkawk,2e+1rfQQfbspJYa2aoq4JhFyTO/JOvwuR9vjBeRkIB4EdVtjWMc3mE+W5{gsNRBIe5IjVMa45MGbgV3UWM9XQpphQLz4KkMo/cHZP7I0p3yiDMDBgxtekZysrB0DhzdMq6foSvrG7[R6ue9pjkD3KLq9zXgyDpQn8T44KB4PJumij9f3gRJVnV6ldeQS5fq9ZKv{Vpoq6yZdSof15e+E1XvCivaZt5259RRc0vp{Y,yRDqFViJu[otJe6rD77oJ4N,uNYbibsRGcHp/CRl91rLSkTSjB8EZuSRJhv2eHavWlEks,knGJwlwvDecScoFDxQP[bSV5T1ocO,0nZ4nVQtt[7MDU5Oj1cBjl+FwtVCDVshBHwWqg4:nk5EThIiKuHOT2He8{Ik7tYgbvV8OKIrWMvCVFr:bFqPk{cTnt5CBgfxt6TgX5iWxzqzwbgtJn5YQuzXKouruScQXrSwSfvv5Fe3+k/iLHcvGhiJTqtGiSFRJ8gUZc8E043fFbc5p9LkoklX31mhO2woaQfb10QG2uDUCdg[TYT3veV9RxBWCy8ZPtSKYrA{Y3ay8NX7RisqJv4zCnI:HrTrxudqrB297jezcl6nmg3wd:+3f{dmp3YzXW9z+ka9IDxpNHwIzIC13r91vFe83NCbNsJXau8uYiU33PLgVngeyuC[4Ght2nQ{j1jHW1deM7N4XiQLvt1pk:QTpDSo7vehy8EI4JUZzOreAc6NzBXuVe+:ilZsY2q:0WCzX3CToCnidPRDVGTjJWrig8n0A9yht8mOqJ3LgHB3KKiZ7CAkq[a[CWvxjL/paZmdAEYnDZdSCS0lnrDqyyXDZbw[PhtnB29zA:y9JuDj4Z6OPOE[Mr/2TrG04P3xv8cTgX+1FNqzW0J[Kqsx4DPf8qQDacMVTXxrsx1B4[Onwi7RvyqKKmKiVDtKZUOGFFD6u2v6lPHJY[zDwzcNl4Qu7jk9a,pPA3kr5xPwVIHSHZRhKrsTR6xTButXfKnXedUDj,DN9QGV1GqlnwhDA{fDCxlljfQrkiwR13dJnW64+:HXslQHFw/ptyIp9cy,bypqo:c12t8v44B,dh99JBT[XKAqLoji/jDWFks6UYtcT:CxgPzV6F/Eq3nt2{/0KRQkqn2gjk9H8O3TmzFW8vTgWSXeJQAIhN8gCX1GvfHykH8xDQeZ/Ok{hlf9qfrV2NavD:DH5bwFgqQ,I3eCgESHoKCGxBQD0EuVhRtQq8MFIsd3gGIX/6BrJeILOMH2xUX1tPfB9,MVkW4w/{FNnCEb4mJj+dO{REzFsjlilyByKnLs+Fbv+12p6HUzj6MQ0YGSt90Je4WHyJ4:ijrlwxK4FS81nbzD/85p9nj,43vpb83KcKFKi4B5P6Vkwk6qOdvXJP4,M,as3{IJBXOLeW19lhhT9WrdeKeIlLeb9:WVYVWUx81ddhTVOmo6inPKTmY4muz[yN7yjGDhH33p3iS[KhejgeZkSrsdMkG{LSRCRdgCWg/va67sd9rU8tn5g7FCdRwhnjJbfQNGjQ5vWHHIHHBxkgU2ldJwXxB7ZSARn:Tp2{syu1UNBw/5SO5w2NkCyOCPT8zzAnOmukzsHcgiuMLUvHdT0llGSih57tPVjt3HqhhLimnmWseHAqdjxEO90YHl0uUftWv53oN[KgsOu9CLxFmfA4e4lby7WU3Ka4Zq0Cj4IdU0FCyyN5eq4bIfvz4PQ2d9GjsRH3y8oi+vi7LbxJ+5CLHGKdzPSP6,k9BFksHtj9F{wffnBzt{pOq2Tixyn,c6CM89le2TgomTDr2,8I7ZP5WT4DEZ+Di[KlgKbyKoApk57tb[4VAPrRZpTnNI1CTzqCnlWEGGacOYr0HwzlbHJmgqqS/X/m/8oYkz7VRWCNJxEOa{Bw9V/JqkRo4Y2mbzMWJjh{dq6T0BFMiMJIZB4uiM1U7[eNDFuzz[FH72xX5{55kBbWhmq6fmWMzVolkpSKFwQRC6f6ODgY4Y3lEvkmXnlRhhkpKykHAZe2LPnK8lKPThmyjWMp/UT3a7kU6ynnuovH6OUi6x7Efzq1HmcfKL3CnqRT8OFrPEtOpHiDvrqIS{GsKCMmFiQbscw9pqnKFPe:Mty6oBirIo7fmZtRddoKPZC5a:ATa9c[PzYXSEXK+PhECmgcR[u:7T4G6c0WerV9TJ0FW1z7mrIHSdyFziNq+weKeFPsyWdT7OrSkutznE4IPQoHoTNu+w7G4GnfTOwfWsxtwgj{WzPmlF7On17n8zjoZ[1pV0A:8VTOgmI[t7Q:ZZ8rIfYIh136SRqQVtH9Wf0r0:aBYCU3IIk6c{MYNn75eQjBblxj+[dMX3Yrk:rD3HOwav5pe2B0uTyInY30F:Hm1Ivz62J,KRVyP5vTcb79WlIGJzh1P7dHFR8fAtH,umy53eiNiFymDMMbz5RW/n7vgC5OeyxbrsqeTHZPhiEkKJLT+6qp3LXLcQ1EHFhPDwctzyHVt8Cdjxeih9n1Iz6jUTXPkDsgvmrKkd8CR:+W6Z0tzWFeG2v5EUjBHzxKuyOOZl7JXJ1Ou6f3AKb8GDeYvnN5AO8LL3OVEBbgXnUqUjhTRYotK{k2mCuLZm7ByV8k5uyPJRULRuzQnYDiXdMpSM0[EH7Z6F+EqhPYUwVthreM/T8vZS8G6Vzc8Ue98JzKm,4G0,94pp0:N7S2xKNysVLrJf440l+2MM7:lm/zxXWNk7bxz6MM6ZuXu,XI+1yIV,lOifbil03Wr,42GnSWC2rLkYMu+ttZ/5VPhZpxXlDxMeZEhMWgGUtr7p/2yZ/WdFQN5kYT05lc8EJcaMblhcqWaQ6Se8R2Jv7Uv{/u9QVQPrpFYlujMDykhmOSEvQkHRNEhRL,0La[VnRs63dWb2o[PIb7OHWSlmdXar/czB5Er9Xf0ONcBqsFvNNf/cl3u[npJuKN3LVVEMo4580x+E2y0lSGyJxoM2F,5ymMC026Qwu9rOJs+oiBb:AcvIQMGDerowIxikD0MqJdF286DRnUc0bmTKGbzkcNhx2q7T8LscMPe54pSBi3i0WCJQizVSAV8VgpI14QHSZsGPykeS7LxsDP85QnHlWtv9dP/yGzsDEXqeHg+RbKRCEv7TLiIhPIF[XNYk2z1wd11NCR4UmekuOPRZx449uJMUDQ6gVk3D3U3vGvTSGihjVQTSUmQo/0zw6voOeMbMOpoie7K9MZWmMpgtge2dRd0fQs4mnwAQlX6Hp8yKOeeGdIA2TwhKlpg3QLEid1QmAl217mO78Mf5SsRRhDWvy3BzVceiluEvQrP{aGaJTRXezVl736zytC1CZ[NCJZq5coCZboV57c+UJUZyqQB,xqqTVRHgjN43Py3X+GI4947D5faOawsqbMQcsmy4TU/kYp64e[EvhV4sbVSE5GgslRz518vV3Lr8m3unyQKd1UHckHp{ZDs{jFB76Rg1e[g3SJv{FryUpxlZf[SJHFzJ1liM+qS9YkmmrdLQhE8X54m8ELVMjF2b0OQYvQn9fD4Um0oJmkf4x9LCzUgy81BLupQDnzCN2H/N+nsg49Qm2hP1bUJ7GeW[2JVqmWJzye4kf3mOT,936fjoH,zP5OszBfzVVRkDiPB0Fc4Cu:i8TYDIYyF7Exw[MMTXVPc{UUB,ynHgeNRTi6uHCw8yrBGECdB,1zA[80uIPqJpV{m3SUmOe6o60rrWQU9bx2cLf:Yi0MJQ0WYJRZb[kBaXLCErQI69B:V6o[lnYirid3NxCGlbVrLRnBiTgEFwPqW83qd,t,wmFsI8o1dY8Pvc0xm2G9AVvzy2fEEJfsiZcWj,rbPrdps55L4SLcqufDcrFqb,lyTJR3azddeID1GKCLRllwgXnmnIR0ejREXL9DuNMrCTvPdRZEoxdd+DxS7JVCR1uEoGLbO2l1Qv1ZouXZD4i3ztEe9xvNGnvq7NwxJWQYe1ubo1UXejx4e9QVfmPchm5rYRMSCNH[7BelkGpX0bdFT7W9qKIvpzycH04csMzm9jaeRIvcncvO6ulz38AmkKnNzxBQVBd,J9YOTkC2+fkj0rJHbF6dr0O:DYvvXxtl8EeNitdZlnEbWy4DNgaxDfWfCLqkJTQEc,jcemmcInX0ci3BBxiB16XVqU6yBYQUub0,4GeV6ikuj9GMJjRlvJDMVmpkCRmu/4j0YMT6S6d50sy,j1ZNrpLuNF05owPePxgsrwaJLDf2+98fQKdsS2gwBvrLorQkiknYWOUW19MmX2kw10KQoba85TE,1hFQGCSoNY0Ghbi[r5aM5zz2i3os4[fKQJ/EyO8kFc4FQldtIyDxe00Rbqs1dWJyM3ZRl7PPZCFcenk2LD6VQONOQC/Bfy+ynCE:FHTb0fOhi3GhD7ruxgVMh0dZrwr,N7MzN[i7K31USqy925mWXlw95L9p2Z5Po[0SRj6bh{4DrDfvLLspZ,LObgl{6uGD/cJ6pHl4I6cxJzOeeniK1flqAOgg7tuUmZJgH6JisgNuJibC/r6uQ4o522Dce7u9iZG[txkCpmbdM9cZEQyHuDuTRxFPy{I{THQxn8rB45HW6xzgE63bii04g0M5iQ5gyV1Bni9setCJ1tCNIWNLhOexKM/DO1sr+gUy7sjiK1sGH2/1QdtKcW1cUVpECVgbRFVBwctiy6CKA6YPg75OT4vTzu19E21oHhe99HBMKqyh+qs83vLKrRmT0h64jkI:5Cz1POQVmo8NUJsXmZ5wpDc[FQ8VAwzNg1b1jX3p36eMRpfSHZXj84hERbt07MuX4,oUk0m4YpT7zh6dLMewcYd2VFEWWJt7F6oneT+2gwwsBsywmPdtdK0DOCu:EZ0cPChY8X1c7yVoXUENQ5JgRpv1ftndKL+gfDHUjkFk8ct,7NoKiRt{/G9g75qMgIp{mlm0ocOCizWcT8kD6UKK2hUwdxFPsKJsPTjtgQsLpsLl9MwxGMs7DMhRcebI2ys:3ZGfEINh/CNqdUftluGqZe07fL6qgtaqZzkJHWjoRD7KqSjoSMIod{XViHVpHdz1g2q15KbQsqhuzXIvy31,22Fshmzko:JOXBb2y,2xAFTZ13nUQb1YtLMum6ePgwOZG0s1QGk3nx5wXnsqQwJeOn4xzlZNasHUM4T3xXTvYQA9yzCJr", "GeneAilshe", "7'7I7X7", "=!=4=:=?=n=w=", "2)2/2F2U2q2|2", "SungActaKopsMaarposyparefuzedeck", "5#555<5V5", "@XXXXX_+", "7/7o7w7}7", "<3<<5M5W5", ":2;3w", "=/=Q=Y=_=e=w=|=", "BhfDF/NFDuDKUA,0KfZJcXUiqWKoXWXfgFKt{CDVkm0ukZktnwKJTaQaGssZy8x3iOJqsfEJIPYMYBClB4JnSVoBrf3A6GY4Vg:yQsSwlp5nYYn6Xi1j3OQiHS6b090RtXRqWM2pXT9pZNJTNyrx8JiGsTHvZOfkjlOnBEqsRO556W4tGfwCOC,Sllqng00h5aChqf{+XeYESoMCtFRumO8ASHGbWnNg[4plVF2J{5oCYcV5ebQQ35kEqziKpdMoGeiidSFcWX3B4MfH:ZXy7Qd5Xpn4tNEyRPt/vPMVITGqdV:zJpPUpMFZRZRSl1igmd8kqg9x6FbBcSmGdA1Hxgcz4jpcsNOqXvVQtAvtSn3ophMRe8VOUquuUM[Q22BKYABj62i+0JgXdsKJc76EVUgeBhlaed[o8wv71cGUxZUbgBT6J8BoQaFNGNJgb8ZwrD9BHwbI0ZqjM1gdsskSUonDTU,TYdB45UOlfloIUw[Nd7{Ek/v4nfk/4Wl5gXVNm59CqjDsMuyzyW[fBABH6Wi7:QW+eHLw12z79ZF0K2g8EBLZl5CvRrSHFRQNgTF9,K5Hghec5S{JO/5DUSbGQfSBbWMu0oDX:vF0ipLoVkHFvyGMDQY2sNpuBOcsBTxNbC:DR8T5u7XsgHHDjmXXQ2u4G+LKJzmi5og/1M1d0ho+Ut64Y7j2UWpps9sG,ZrVsjmz2vRuYlrQt7dqrsLWrudyNrCQyLKOXqM1zCnqw70+[rfhzinMr961HPiezamwQz{b4Cnet4LVIxHp3JEkV7gv5yYCLbSxuql65JXqPuJH4OVF,QHSVGWr9XrFD7Imu7yb:UyX6EdzDUOq,CdzK/PE4AxtC/I4[rc5[DhI[VysV0vBuR9DWeMLd05D3QKQ94U8tTKAVwI3cx0Kj/oXSRQh4O7OZ3sfU9wwB3cqoP9Nnk9iVVtRiOBkQIEcvklFNBpaXMWffsf9hcZC62iveR0+:tM8owm/Fq:aLG7DM7K4RQg1O/JCGhDuq0Xs6THgkqHDO6cP5yXVdkFd1TM6m3h0N21ToFTGSv0GTwF0kV2Ku/N0Zu9bCERBMIsZvMiLnWBnljCcIOzHuwkLhVTDR3o/gE,wMcWiIbLFgoH3poR3Qr3USK,dMqHvewRg:g08UJxXJjuqvA:MvBE1p3GLkH0VMDc0,rVXv70leHV4lV67LAF1Ef5xmDHAx7pdrkcVcpc9UFrdJdNXuDhG1ofkplsoj0Y0FrYapR4oWb:gT3CCGer91aeVQ3YbZ/f4su40Szyk5K2/iYtOrXpouFRP60QQSWgpqV8EVCrQXLgkRZeUhX{9JYXoM/U8KpjM8O[BDi5muflH3WNQdrw2hxkzpPr95MTZWEXfPR73ve8ipGvinDykC/Kttlfesa226fMB31SRc2bdfYmOyK:z83vEhUjymQEk4+99bIxi6dzCxvNHhSRsr8leOylhMZz4vCKN2QpwvBhB39CYzuuholg/4jEwDB37Q65GN5p/ifF5Mf2deKL0NK0eHXty1vpE9VE0f25/W34qOjiSI3yegnjzsGhXV55C[dIKTLdRIEhbczN7F1[A:L5cSemIFl:D{FtSSRLk:td8i0MS97{RDZCowTO8,hySPYhbzTMO2QSIn89ghcCe{OUWd0cYOaZhYhuXjl:b0rKaittxopu6m86LggnL8JF5R370tG4YkfVwquXLolP00DDTjAdkwfs5zHppPPyeVtCzfH3MMXJ8LO8R3oTz5GHmpgioKZu20O{11RGV[dvAHPMHIj[MpYKNsbWv9QMM5bYzLpPUc7bgPsJklp2v,aSjC1RBsUSTFOBR51fZ0XdVhhOUyb{3My9/sY6lz9ILUEdhXgC3lt7H52hPrVkOoz6XxltrjRksi46t6fGFWjS6eB,Mi4JIcp,j4Z[wUin48t9pZY9Tn5NJ[4kI1z8Wm0to5WCyqylMIJXa8J6WcleEUl88eMTI{0PH6GsNLwYiNgepq0VNqlnSZhqJOFrorPZp2hzfpo,2YKMSnlUFBmQmb5iVrWQYfq6B5vgzL/uV428+mOK6Uj4ym0k6I1VMwIrlIOOgH3QxTF2InatsshVxKr4WLbZ4heq+BJDwYL4BWEIeDQ0GN74v,HRcubq7ldWh1Z3lztiR[UbcVrnscCwC6YCCoSoNSfV2cBxLi1br1nVyiUXII0OhOE7MeU,qFcxtTnGGVBdVICGoi6SD10u/KQ1Q4CJfUoUYFCkabQSB7W4aMcCy2kkCIf[vZoPWiQrb8ZgGCMxQ{QYprHki86W7euU6WlJi:kSEJngEG5ZDUwRT3CfAojkrm2YCqIxB7dO9XoVN:vsGQq4vL1ILXbKh17o66wraYtk7I9JIfVgH{FcNOl:Ks26W2E0KMqFYK13cC3GJkc29izB4I+{Zsbws:aGx0o43jngHpRFgRW{jshztsvlHO8LMv4Oq3JV0XUIGBh2wrLSuJQuQz0mmKRfa5LuYbOpp[OgoDxH9,UXGM8lJ7uEGo39sRh4OdxoLCiksI7Qr0oB1DLJ9gtKvtTFXLhudnj7QsRO+mwvtmMPdwll5ytpeGQ{05zo7O+oDlDBMmSg6e3S3Ye{idK:WFK6OxsjLppHI9QSCXckWoyXdVu4Oyie0BD,hEz2j4z0toGlkPUYinFVFCad/[7KcjsHXelESxa7EzSngfbq0vG4q7jd3rqPCVfnYQjYXI6S+p2I+yXCbICd2itoV659KZTxJPGcU,KHj8BVWNNDPH9qXKBX/dsoefwVubi2q9AmL3Cceg2izFtmd2HZZqUozj1zWRVkQXhqCXd1g,NHCscHLhu,4evBG9gTy{8vme+p6sE:Pmu0iCv3/f87Q[nOv,uMyER6j:ONHHBlCyfctdzDHrLxIYxWZN5kR1ypZjfx7wN[2sCiQ6gygT/9lXGhzbi0/uyuDeP1FRkydNE:2IZQ5EFNR8vEuinOU[ycEZPnAJVoSFl6OVW{Z6BTbyBrOfLo7Jb13ke,tP1MMws3WyvK+FZWo46Hivd{cIG7iH8FlFeDKuQ[EkYtQF2NTELJL,p1KCvvDxz78ILkFMj98gl92h3faBwGYSV1K7/6n:GQCmJpUhjz9h6ik6qV0YdJSqWMtRxdeqzZXHT19933OHwZH{P,qZ/2xBIVWLOnJGaSFnQeozAgne6UPIpijddnkZaoq:qN08wsxUoVo[F8SeJOI86pXZmmQPST4ZrwTrGcUNJ06P2K+ZsfR{s04PTF6uq96N6su7doSKTRSJlZOpJjjKEYubnr1vYrPYT[GFf{sYilRjKn9xRrYRz5DXO65t3iz4MOMzgkJ9VTJCcj7QBQBdYZ2NFJ9PKJHLumfylDoWBZjcfp1mXVbvisHucS/{lMCX/17SFJ1JFTwxoHi5jCw,Jjymf5JxF10eMPl0FtUNu6p,ZjL4MqioG,eLUZT65MOqyPZURVyidg8JUYhE/:aZ0M+gwqojRJ/P5bglXOS4wBJUEgNlVBIoz0GkXnVQ0RedyDyj5:OrOZQ77ytZ9D6xeQq1rPqXkWKTYTT0zed{t8oz7GEfRQtcR[chQzS[/xTuR3j:rmXLoMNii6y4Y1kr9zm:/NOBC8MjkR3DmZ0eVy+EYzJRA1UFu0zztGG4ZR1ofr73oxfEk9f8pJNHYo3rDMbQ1CI{JrWnGGYyS3RR6rJLzFe0f{pTxr7Y02mmfjE[yS04SJcxv:pxwEPcP3aCxlcMHXsGAFhsN4xitzW7BX+:7wx4T4Lve6SNUbLKhHkDgbAEGDSZbsqcip84Rtb{dyzqYhp1jnk8ATNWcJ32PGYZ3bzdmjDYaVbzD{Lnzhhi1o24jY4WLLuym,JG75l0U5v6tugFiiX9Dob2n[xqMy5yX{A3d,fGFV1oXcyMoV+ZXdj2928Cfo6Z77CuZqtqrbw9USwQL4TtYXDWlYexmR573HspVCTs2FoMPCZ4cgjS0HAhXIVWFqzjIt54MgFGQMUo8gBstffMsoh4X4KXMSIDtTL4FbL:tmMvWrwkjS5oxp2J0sVUsTVGT1+ShYOlvLUbtEUL9JOezwF6Nbm4eyYIim8EprsP4y/WiXTl6Okk1wDqoek7/40DbGT5Yps2HLb7vWO2TRfXEfbotU88ybxzoC81K22[FQY,RFfjs36XPF64F[clXHdEnFtUv9RDmN6DSrd4zyc5ZUEo963lKc3VQl5hJBiMs5W1ekpKYK4su69zfyZYdKNnJ42Mt9V[kXRLs2bwXjj:K14bYbL65VF5QQhdZ{K5RpV1XlVEsgS36bIISwFRh4F3RHTQO43rk5mdpi+[qdDF/VzTO{PoSzloY77XoQ19TojtLlEmVr6HbVgzMGULlFALuc0b36hqlsZsC:5YLvp,UF5Cuss{i9kXtDdYkpX5CWWOdO6V+JyOKLAEAv4NY2/BbQPkYYPCJuk8t,clqz+Cx[IzkGHM/5Jf7qA[R7fdkmak9Jw:cNFLnmK[oikwgrAu3NfdMuWJ3vo7g9b0OhQ0wL+DRgdIPJhSTcUTZW3ma3PjL69TAzoUMTiwYyeNnWvjOzt5I7OJHvHG79r:8wb5fjjT9{Bum{vHgTD9OiBcxxXHm5TGi5l1d{kdq9vN3OW4a9kR0CABGCX8ljwTX[DkxzbCkPnP91dSmjFusISmyh+jKcyHDHKgmjteFCCqfewyu{mJOxMxYc3mOnXR1SbG4mWqFEszDnfF0:X91jrvnGaG5xB,l{pcH7PdPZK,oe3Dq9fIaqXqSyih+bnoJxSkhIGqI9ODyFilKTaKXRYiLibTmTw,yel1kHaw9dq:/Wu{bMVo8s3n6cA:xIenCE76wjU,+CQmFRT8ciqjEBvhF34cGBCjX:S,p85Lgf07yjUHbi9Ch0XiBdxoLPHV+cDP/bOwm[uzWHWSUknhs[NYauCOktsDR{EwXdsny9dn2xsnWcrsJbd:dO5ZYl+tZuexpuhDekGLkQaBGx8QwibdAnXcPeFRxOO,8EkUjPZJafAotTig9ObprCDV93wo3WVpajf[PUSGgNUYq4GwxRl1l8YEkLd38LobL8AMEu14zrvC3HEHBLPzYi70iN7eo5sgSCKlAhKs+O36Dpm3tlxDcuLXd:Hp5nIv9PSGdjQt3L3DclUt2wxZ18/p5bG0Y1cxDnAQxjgl1tay5K+cbQQtj4q7F6RRF2y4pvuWZBXPePKz9euZ5phE1l5:ZnDHVzesw9JTd3EsLf4QlVxPuQmPRt+8FmzdWF+NGwhnNXVtFGHyefq[5SMMLWFWXhCXoVNCIR/8ZMvvaUkNHN3eefYndNrs0XApeerI+isCVRnsxti3Hyz9mbgS89pWnnfdKP1bmEXedv7fM95cCYWyF72FDf5BxOosqX4vCn/7RyQrxIfzJ7iQVEZ{3i+sRm7wQ3h:/2rx9EmYJfZR6SjnIsxdBudDPLQtmSHDiezHaR2jTc691LGMpdAOywh2qQB51T1,lJ448{UukQ9vbGOB1MdD98i4KVWN2eVfU,t{Zw4ByfQESLdUkzj1oUD3AVBUZQVow:PFgYUQWNIOsT/xph2hTUi1hVVy93j8JVeqcOymypQI9S4fPGRNB6I6OXOo8zAfkEJ3LcOBVECF7xdVV6pUmqnje1WF1uw:CSWeXG4OIs1ZjPs8W09ka:/jlG2htKHczO/LallfFmq8YK0UfUUn5LqPidSsiGErYVJSNM0lFGeLvH7uMBC3PY7[gCrDZ5wKUFTgqj1cRoGHISQoltEDl9npVz9DWKMn32C[UtPMXUesIMqy242ycVXUzSYkmXNJWnIU5Myik2q0bEJTG28DR935p14CT3ZBnVP{TUAQh4A9BbzvyQudyBXDGLTnY9o9ilK7IURIs2ug4jFV3F/D6wH{OpP8y4vDb[I[0GGyb[CpWNOTlg/Pw33ZT{Q7bDZMtEOKIcqxYLPixog9zvZLnyCEbh8{YynG1tX4H,6idYQxNk2[zFb81vAIA9XZyyHXhn2VSjj[Wt0Qf32DUFDY0iLEvfnlQf+X0LN:L2d3SFZB7CKJ41z8rjRN9Iue/rNneFbC+fAJ2r21aX5VgwIQxdGsIPAd40ihGXz2O{nbLn6{S3HeWkvYkXnX8qZqJod2sdkORF7MUOL95r+WUgBsnU5xKZMnwpexcyQlQfzjttNCJ46vR99d0pox8nLSDi7bL6YQhG2:bo5kvb0Cxg6tJmD7Ftx:N07rLZn6YfIZNlhrk{G9bdr4PZt:pZib/82ohG8dj41ZcZAbfQ9WFCa[K2VpPMofNRHGtOGgw3G211vBz2+Kbix,w4R2gXHuwLZ19TmXsQb3YpZ5Wp3,mNRsaD+xMupwKW4lv:cB6eE[VhSUEN4OGtg1Tk4ecgaxY{vVBu3BIgOf4xNfstzuO8OQBgff0x9MH{36PSCr3kP10,xGRrvxPKt,fz/UBRnYw0wSfBtZ4:kjt{W7D3rTz0tLQ:NIZT88GkyXu7X6C65Bg{SWP40J6T78SbI64R6vHraOdpWPVjBuCvZ7kzomoMjyJ,Bg8sP3Bw/KEfgvczYocu2eo,ecgxg97Hc[5ktOF4LLg{fjfmeVFzQvRH4UIHju+UdE1MWqWir5lNRq7fKZH0Wzd,i5mKFveJ1h/pC6rma4+N0K+H80/GjSjINkQqQovwPHNN9VAPSVIWUj+PY18oFwpycIvG5OPW4{BmuLSchRs8siWEYQ8YBnCYz6gwM,uYOfW[LmOBw02pJ", "SiretomsbritGrewIckyNapaLumsBoaren", "85+IZrM4lXHU4HObuTGHaOAzaZA[w1b8g0FcaXI9HRuGp,tuo{who0BHGIlNQNRk6n2[ON0Ia8p7etGiUY", "GetDriveTypeA", "D$dm*", "DenyLubeDunssawsOresvarut", "l&#l&#GP", "l&#l&#l&#l&#l&#l&#l&#l&#l&#v", "797A7F7K7Q7n7s7{7", "?OilspocoShopGlutNapeTyroapedfiscjo@@YGGXZ", "?%?9???V?]?e?", ";^ {lCV", "484S4Y4t4y4", "FindNextFileA", "9$949|9", "GetCompressedFileSizeA", "yO?^:,z" ], "virustotal": { "error": true, "msg": "Unable to complete connection to VirusTotal. Status code: 429" }, "executed_tools": [ "msi_extract", "overlay", "kixtart_extract", "vbe_extract", "batch_extract", "UnAutoIt_extract", "UPX_unpack", "RarSFX_extract", "Inno_extract", "SevenZip_unpack", "de4dot_deobfuscate", "eziriz_deobfuscate", "office_one" ], "cape_type_code": 0, "cape_type": "" } }, "procdump": [ { "name": "7774c21f9b371c18e10f473e8877e6dbe52fd2b55d81b5204b3f17586de58d5e", "path": "/opt/CAPEv2/storage/analyses/95/procdump/7774c21f9b371c18e10f473e8877e6dbe52fd2b55d81b5204b3f17586de58d5e", "guest_paths": "1;?C:\\Windows\\SysWOW64\\cmd.exe;?C:\\Windows\\SysWOW64\\cmd.exe;?", "size": 236032, "crc32": "814892A0", "md5": "2213274fc41ab69113de9831168b9689", "sha1": "458575631e672fa786f5de877d4f46c086884490", "sha256": "7774c21f9b371c18e10f473e8877e6dbe52fd2b55d81b5204b3f17586de58d5e", "sha512": "c9527034bbf1b921e832e2838993fa874360a1e17c55036039f5965048df6f6479b8cdbc4ee30cdcbf58e3d8970bced8f7ed201fd1af01ed0dd1368487ba9b82", "rh_hash": null, "ssdeep": "6144:EtRtEvSi51MB19nD8c0N6GTNqGjdPUQ9oTmtBme:EtRhivMBXL8BhNzn", "type": "PE32 executable (console) Intel 80386, for MS Windows", "yara": [], "cape_yara": [], "clamav": [], "tlsh": "T17D346B62B748A0B1CA622234157AE633897DEC35871252C7B7E55E7B7DB02C0BD3C71A", "sha3_384": "2b1b1431a26499760eb4cb9b900f3c5f4ba20dd82a01037b82abae67a4b08a015e8a06fd48c9210d7b0cf701203037c0", "yara_hash": "68e243d1d9aeb1f1e94057af9823c58e140832514ed3e7b46b181bf94e4e12ce", "options_hash": "b7818797508282994ea72592ded64b364725c9400a38d418189579c94a89385e", "pe": { "guest_signers": { "aux_sha1": null, "aux_timestamp": null, "aux_valid": false, "aux_error": true, "aux_error_desc": "File not found: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\95\\invoice_231836298371.exe", "aux_signers": [] }, "digital_signers": [], "imagebase": "0x00010000", "entrypoint": "0x00016b20", "ep_bytes": "e8d0050000e9d9fdffffcccccccccccc", "peid_signatures": null, "reported_checksum": "0x00046aec", "actual_checksum": "0x00047501", "osversion": "10.0", "machine_type": "IMAGE_FILE_MACHINE_I386", "pdbpath": "cmd.pdb", "imports": { "msvcrt": { "dll": "msvcrt.dll", "imports": [ { "address": "0x5a314", "name": "__dllonexit" }, { "address": "0x5a318", "name": "_unlock" }, { "address": "0x5a31c", "name": "_lock" }, { "address": "0x5a320", "name": "_initterm" }, { "address": "0x5a324", "name": "wcsspn" }, { "address": "0x5a328", "name": "_tell" }, { "address": "0x5a32c", "name": "_except_handler4_common" }, { "address": "0x5a330", "name": "__setusermatherr" }, { "address": "0x5a334", "name": "__p__fmode" }, { "address": "0x5a338", "name": "_cexit" }, { "address": "0x5a33c", "name": "_exit" }, { "address": "0x5a340", "name": "__set_app_type" }, { "address": "0x5a344", "name": "__getmainargs" }, { "address": "0x5a348", "name": "_amsg_exit" }, { "address": "0x5a34c", "name": "__p__commode" }, { "address": "0x5a350", "name": "_XcptFilter" }, { "address": "0x5a354", "name": "calloc" }, { "address": "0x5a358", "name": "free" }, { "address": "0x5a35c", "name": "_purecall" }, { "address": "0x5a360", "name": "__CxxFrameHandler3" }, { "address": "0x5a364", "name": "?terminate@@YAXXZ" }, { "address": "0x5a368", "name": "_wcslwr" }, { "address": "0x5a36c", "name": "_controlfp" }, { "address": "0x5a370", "name": "_dup2" }, { "address": "0x5a374", "name": "memcmp" }, { "address": "0x5a378", "name": "_local_unwind4" }, { "address": "0x5a37c", "name": "_dup" }, { "address": "0x5a380", "name": "??1type_info@@UAE@XZ" }, { "address": "0x5a384", "name": "_close" }, { "address": "0x5a388", "name": "_open_osfhandle" }, { "address": "0x5a38c", "name": "swscanf" }, { "address": "0x5a390", "name": "_ultoa" }, { "address": "0x5a394", "name": "_pipe" }, { "address": "0x5a398", "name": "memmove" }, { "address": "0x5a39c", "name": "wcsncmp" }, { "address": "0x5a3a0", "name": "_setmode" }, { "address": "0x5a3a4", "name": "exit" }, { "address": "0x5a3a8", "name": "_getch" }, { "address": "0x5a3ac", "name": "iswspace" }, { "address": "0x5a3b0", "name": "wcschr" }, { "address": "0x5a3b4", "name": "iswxdigit" }, { "address": "0x5a3b8", "name": "_setjmp3" }, { "address": "0x5a3bc", "name": "time" }, { "address": "0x5a3c0", "name": "srand" }, { "address": "0x5a3c4", "name": "_wtol" }, { "address": "0x5a3c8", "name": "fflush" }, { "address": "0x5a3cc", "name": "wcsstr" }, { "address": "0x5a3d0", "name": "iswalpha" }, { "address": "0x5a3d4", "name": "wcstoul" }, { "address": "0x5a3d8", "name": "??3@YAXPAX@Z" }, { "address": "0x5a3dc", "name": "_errno" }, { "address": "0x5a3e0", "name": "??_V@YAXPAX@Z" }, { "address": "0x5a3e4", "name": "printf" }, { "address": "0x5a3e8", "name": "memcpy_s" }, { "address": "0x5a3ec", "name": "_onexit" }, { "address": "0x5a3f0", "name": "fgets" }, { "address": "0x5a3f4", "name": "qsort" }, { "address": "0x5a3f8", "name": "rand" }, { "address": "0x5a3fc", "name": "_pclose" }, { "address": "0x5a400", "name": "fprintf" }, { "address": "0x5a404", "name": "wcsrchr" }, { "address": "0x5a408", "name": "ferror" }, { "address": "0x5a40c", "name": "realloc" }, { "address": "0x5a410", "name": "towlower" }, { "address": "0x5a414", "name": "setlocale" }, { "address": "0x5a418", "name": "towupper" }, { "address": "0x5a41c", "name": "_wcsupr" }, { "address": "0x5a420", "name": "feof" }, { "address": "0x5a424", "name": "_wpopen" }, { "address": "0x5a428", "name": "_wcsnicmp" }, { "address": "0x5a42c", "name": "_get_osfhandle" }, { "address": "0x5a430", "name": "longjmp" }, { "address": "0x5a434", "name": "iswdigit" }, { "address": "0x5a438", "name": "wcstol" }, { "address": "0x5a43c", "name": "_vsnwprintf" }, { "address": "0x5a440", "name": "_wcsicmp" }, { "address": "0x5a444", "name": "__iob_func" }, { "address": "0x5a448", "name": "malloc" }, { "address": "0x5a44c", "name": "_callnewh" }, { "address": "0x5a450", "name": "??0exception@@QAE@ABQBD@Z" }, { "address": "0x5a454", "name": "??0exception@@QAE@ABQBDH@Z" }, { "address": "0x5a458", "name": "??0exception@@QAE@ABV0@@Z" }, { "address": "0x5a45c", "name": "??1exception@@UAE@XZ" }, { "address": "0x5a460", "name": "?what@exception@@UBEPBDXZ" }, { "address": "0x5a464", "name": "_CxxThrowException" }, { "address": "0x5a468", "name": "memcpy" }, { "address": "0x5a46c", "name": "memset" } ] }, "ntdll": { "dll": "ntdll.dll", "imports": [ { "address": "0x5a474", "name": "NtOpenProcessToken" }, { "address": "0x5a478", "name": "NtQueryInformationToken" }, { "address": "0x5a47c", "name": "NtClose" }, { "address": "0x5a480", "name": "NtOpenThreadToken" }, { "address": "0x5a484", "name": "NtFsControlFile" }, { "address": "0x5a488", "name": "RtlDosPathNameToNtPathName_U" }, { "address": "0x5a48c", "name": "RtlFindLeastSignificantBit" }, { "address": "0x5a490", "name": "RtlFreeHeap" }, { "address": "0x5a494", "name": "RtlReleaseRelativeName" }, { "address": "0x5a498", "name": "NtOpenFile" }, { "address": "0x5a49c", "name": "RtlDosPathNameToRelativeNtPathName_U_WithStatus" }, { "address": "0x5a4a0", "name": "NtSetInformationFile" }, { "address": "0x5a4a4", "name": "NtQueryVolumeInformationFile" }, { "address": "0x5a4a8", "name": "NtSetInformationProcess" }, { "address": "0x5a4ac", "name": "NtQueryInformationProcess" }, { "address": "0x5a4b0", "name": "RtlNtStatusToDosError" }, { "address": "0x5a4b4", "name": "NtCancelSynchronousIoFile" }, { "address": "0x5a4b8", "name": "RtlCreateUnicodeStringFromAsciiz" }, { "address": "0x5a4bc", "name": "RtlFreeUnicodeString" } ] }, "api-ms-win-core-kernel32-legacy-l1-1-0": { "dll": "api-ms-win-core-kernel32-legacy-l1-1-0.dll", "imports": [ { "address": "0x5a15c", "name": "GetConsoleWindow" }, { "address": "0x5a160", "name": "CopyFileW" } ] }, "api-ms-win-core-libraryloader-l1-2-0": { "dll": "api-ms-win-core-libraryloader-l1-2-0.dll", "imports": [ { "address": "0x5a168", "name": "GetProcAddress" }, { "address": "0x5a16c", "name": "GetModuleFileNameA" }, { "address": "0x5a170", "name": "LoadLibraryExW" }, { "address": "0x5a174", "name": "GetModuleHandleW" }, { "address": "0x5a178", "name": "GetModuleHandleExW" }, { "address": "0x5a17c", "name": "GetModuleFileNameW" } ] }, "api-ms-win-core-synch-l1-1-0": { "dll": "api-ms-win-core-synch-l1-1-0.dll", "imports": [ { "address": "0x5a27c", "name": "WaitForSingleObject" }, { "address": "0x5a280", "name": "TryAcquireSRWLockExclusive" }, { "address": "0x5a284", "name": "CreateSemaphoreExW" }, { "address": "0x5a288", "name": "CreateMutexExW" }, { "address": "0x5a28c", "name": "OpenSemaphoreW" }, { "address": "0x5a290", "name": "AcquireSRWLockShared" }, { "address": "0x5a294", "name": "ReleaseSRWLockShared" }, { "address": "0x5a298", "name": "InitializeCriticalSection" }, { "address": "0x5a29c", "name": "EnterCriticalSection" }, { "address": "0x5a2a0", "name": "ReleaseSemaphore" }, { "address": "0x5a2a4", "name": "ReleaseSRWLockExclusive" }, { "address": "0x5a2a8", "name": "LeaveCriticalSection" }, { "address": "0x5a2ac", "name": "ReleaseMutex" }, { "address": "0x5a2b0", "name": "WaitForSingleObjectEx" } ] }, "api-ms-win-core-heap-l1-1-0": { "dll": "api-ms-win-core-heap-l1-1-0.dll", "imports": [ { "address": "0x5a128", "name": "HeapAlloc" }, { "address": "0x5a12c", "name": "HeapSetInformation" }, { "address": "0x5a130", "name": "HeapReAlloc" }, { "address": "0x5a134", "name": "GetProcessHeap" }, { "address": "0x5a138", "name": "HeapSize" }, { "address": "0x5a13c", "name": "HeapFree" } ] }, "api-ms-win-core-errorhandling-l1-1-0": { "dll": "api-ms-win-core-errorhandling-l1-1-0.dll", "imports": [ { "address": "0x5a07c", "name": "SetLastError" }, { "address": "0x5a080", "name": "GetLastError" }, { "address": "0x5a084", "name": "SetErrorMode" }, { "address": "0x5a088", "name": "UnhandledExceptionFilter" }, { "address": "0x5a08c", "name": "SetUnhandledExceptionFilter" } ] }, "api-ms-win-core-processthreads-l1-1-0": { "dll": "api-ms-win-core-processthreads-l1-1-0.dll", "imports": [ { "address": "0x5a1f0", "name": "GetStartupInfoW" }, { "address": "0x5a1f4", "name": "GetCurrentThreadId" }, { "address": "0x5a1f8", "name": "CreateProcessW" }, { "address": "0x5a1fc", "name": "CreateProcessAsUserW" }, { "address": "0x5a200", "name": "UpdateProcThreadAttribute" }, { "address": "0x5a204", "name": "InitializeProcThreadAttributeList" }, { "address": "0x5a208", "name": "GetExitCodeProcess" }, { "address": "0x5a20c", "name": "TerminateProcess" }, { "address": "0x5a210", "name": "GetCurrentProcessId" }, { "address": "0x5a214", "name": "GetCurrentProcess" }, { "address": "0x5a218", "name": "DeleteProcThreadAttributeList" }, { "address": "0x5a21c", "name": "OpenThread" }, { "address": "0x5a220", "name": "ResumeThread" } ] }, "api-ms-win-core-localization-l1-2-0": { "dll": "api-ms-win-core-localization-l1-2-0.dll", "imports": [ { "address": "0x5a184", "name": "GetLocaleInfoW" }, { "address": "0x5a188", "name": "FormatMessageW" }, { "address": "0x5a18c", "name": "SetThreadLocale" }, { "address": "0x5a190", "name": "GetACP" }, { "address": "0x5a194", "name": "GetThreadLocale" }, { "address": "0x5a198", "name": "GetUserDefaultLCID" }, { "address": "0x5a19c", "name": "GetCPInfo" } ] }, "api-ms-win-core-debug-l1-1-0": { "dll": "api-ms-win-core-debug-l1-1-0.dll", "imports": [ { "address": "0x5a05c", "name": "OutputDebugStringW" }, { "address": "0x5a060", "name": "IsDebuggerPresent" }, { "address": "0x5a064", "name": "DebugBreak" } ] }, "api-ms-win-core-handle-l1-1-0": { "dll": "api-ms-win-core-handle-l1-1-0.dll", "imports": [ { "address": "0x5a11c", "name": "CloseHandle" }, { "address": "0x5a120", "name": "DuplicateHandle" } ] }, "api-ms-win-core-memory-l1-1-0": { "dll": "api-ms-win-core-memory-l1-1-0.dll", "imports": [ { "address": "0x5a1a4", "name": "VirtualFree" }, { "address": "0x5a1a8", "name": "VirtualAlloc" }, { "address": "0x5a1ac", "name": "VirtualQuery" }, { "address": "0x5a1b0", "name": "ReadProcessMemory" } ] }, "api-ms-win-core-console-l1-1-0": { "dll": "api-ms-win-core-console-l1-1-0.dll", "imports": [ { "address": "0x5a008", "name": "ReadConsoleW" }, { "address": "0x5a00c", "name": "WriteConsoleW" }, { "address": "0x5a010", "name": "GetConsoleMode" }, { "address": "0x5a014", "name": "SetConsoleMode" }, { "address": "0x5a018", "name": "SetConsoleCtrlHandler" }, { "address": "0x5a01c", "name": "GetConsoleOutputCP" } ] }, "api-ms-win-core-file-l1-1-0": { "dll": "api-ms-win-core-file-l1-1-0.dll", "imports": [ { "address": "0x5a094", "name": "ReadFile" }, { "address": "0x5a098", "name": "GetFileAttributesW" }, { "address": "0x5a09c", "name": "GetFileSize" }, { "address": "0x5a0a0", "name": "SetFilePointer" }, { "address": "0x5a0a4", "name": "GetFullPathNameW" }, { "address": "0x5a0a8", "name": "GetVolumePathNameW" }, { "address": "0x5a0ac", "name": "CreateFileW" }, { "address": "0x5a0b0", "name": "WriteFile" }, { "address": "0x5a0b4", "name": "SetFilePointerEx" }, { "address": "0x5a0b8", "name": "FindFirstFileExW" }, { "address": "0x5a0bc", "name": "GetDiskFreeSpaceExW" }, { "address": "0x5a0c0", "name": "FileTimeToLocalFileTime" }, { "address": "0x5a0c4", "name": "CompareFileTime" }, { "address": "0x5a0c8", "name": "RemoveDirectoryW" }, { "address": "0x5a0cc", "name": "FindFirstFileW" }, { "address": "0x5a0d0", "name": "GetFileType" }, { "address": "0x5a0d4", "name": "FindNextFileW" }, { "address": "0x5a0d8", "name": "FindClose" }, { "address": "0x5a0dc", "name": "GetVolumeInformationW" }, { "address": "0x5a0e0", "name": "SetFileTime" }, { "address": "0x5a0e4", "name": "DeleteFileW" }, { "address": "0x5a0e8", "name": "SetEndOfFile" }, { "address": "0x5a0ec", "name": "SetFileAttributesW" }, { "address": "0x5a0f0", "name": "CreateDirectoryW" }, { "address": "0x5a0f4", "name": "GetDriveTypeW" }, { "address": "0x5a0f8", "name": "FlushFileBuffers" }, { "address": "0x5a0fc", "name": "GetFileAttributesExW" } ] }, "api-ms-win-core-string-l1-1-0": { "dll": "api-ms-win-core-string-l1-1-0.dll", "imports": [ { "address": "0x5a264", "name": "WideCharToMultiByte" }, { "address": "0x5a268", "name": "MultiByteToWideChar" } ] }, "api-ms-win-core-processenvironment-l1-1-0": { "dll": "api-ms-win-core-processenvironment-l1-1-0.dll", "imports": [ { "address": "0x5a1b8", "name": "SetEnvironmentStringsW" }, { "address": "0x5a1bc", "name": "GetStdHandle" }, { "address": "0x5a1c0", "name": "SetEnvironmentVariableW" }, { "address": "0x5a1c4", "name": "GetCurrentDirectoryW" }, { "address": "0x5a1c8", "name": "FreeEnvironmentStringsW" }, { "address": "0x5a1cc", "name": "ExpandEnvironmentStringsW" }, { "address": "0x5a1d0", "name": "GetEnvironmentVariableW" }, { "address": "0x5a1d4", "name": "GetEnvironmentStringsW" }, { "address": "0x5a1d8", "name": "SetCurrentDirectoryW" }, { "address": "0x5a1dc", "name": "SearchPathW" }, { "address": "0x5a1e0", "name": "GetCommandLineW" } ] }, "api-ms-win-core-console-l2-1-0": { "dll": "api-ms-win-core-console-l2-1-0.dll", "imports": [ { "address": "0x5a024", "name": "SetConsoleTextAttribute" }, { "address": "0x5a028", "name": "GetConsoleScreenBufferInfo" }, { "address": "0x5a02c", "name": "FillConsoleOutputAttribute" }, { "address": "0x5a030", "name": "FlushConsoleInputBuffer" }, { "address": "0x5a034", "name": "FillConsoleOutputCharacterW" }, { "address": "0x5a038", "name": "SetConsoleCursorPosition" }, { "address": "0x5a03c", "name": "ScrollConsoleScreenBufferW" } ] }, "api-ms-win-security-base-l1-1-0": { "dll": "api-ms-win-security-base-l1-1-0.dll", "imports": [ { "address": "0x5a304", "name": "RevertToSelf" }, { "address": "0x5a308", "name": "GetSecurityDescriptorOwner" }, { "address": "0x5a30c", "name": "GetFileSecurityW" } ] }, "api-ms-win-core-sysinfo-l1-1-0": { "dll": "api-ms-win-core-sysinfo-l1-1-0.dll", "imports": [ { "address": "0x5a2c0", "name": "GetSystemTimeAsFileTime" }, { "address": "0x5a2c4", "name": "GetSystemTime" }, { "address": "0x5a2c8", "name": "GetTickCount" }, { "address": "0x5a2cc", "name": "SetLocalTime" }, { "address": "0x5a2d0", "name": "GetLocalTime" }, { "address": "0x5a2d4", "name": "GetVersion" }, { "address": "0x5a2d8", "name": "GetWindowsDirectoryW" } ] }, "api-ms-win-core-timezone-l1-1-0": { "dll": "api-ms-win-core-timezone-l1-1-0.dll", "imports": [ { "address": "0x5a2ec", "name": "FileTimeToSystemTime" }, { "address": "0x5a2f0", "name": "SystemTimeToFileTime" } ] }, "api-ms-win-core-datetime-l1-1-0": { "dll": "api-ms-win-core-datetime-l1-1-0.dll", "imports": [ { "address": "0x5a050", "name": "GetTimeFormatW" }, { "address": "0x5a054", "name": "GetDateFormatW" } ] }, "api-ms-win-core-systemtopology-l1-1-0": { "dll": "api-ms-win-core-systemtopology-l1-1-0.dll", "imports": [ { "address": "0x5a2e0", "name": "GetNumaHighestNodeNumber" }, { "address": "0x5a2e4", "name": "GetNumaNodeProcessorMaskEx" } ] }, "api-ms-win-core-console-l2-2-0": { "dll": "api-ms-win-core-console-l2-2-0.dll", "imports": [ { "address": "0x5a044", "name": "SetConsoleTitleW" }, { "address": "0x5a048", "name": "GetConsoleTitleW" } ] }, "api-ms-win-core-processenvironment-l1-2-0": { "dll": "api-ms-win-core-processenvironment-l1-2-0.dll", "imports": [ { "address": "0x5a1e8", "name": "NeedCurrentDirectoryForExePathW" } ] }, "api-ms-win-core-registry-l1-1-0": { "dll": "api-ms-win-core-registry-l1-1-0.dll", "imports": [ { "address": "0x5a240", "name": "RegSetValueExW" }, { "address": "0x5a244", "name": "RegCreateKeyExW" }, { "address": "0x5a248", "name": "RegOpenKeyExW" }, { "address": "0x5a24c", "name": "RegQueryValueExW" }, { "address": "0x5a250", "name": "RegCloseKey" }, { "address": "0x5a254", "name": "RegDeleteValueW" }, { "address": "0x5a258", "name": "RegDeleteKeyExW" }, { "address": "0x5a25c", "name": "RegEnumKeyExW" } ] }, "api-ms-win-core-file-l2-1-0": { "dll": "api-ms-win-core-file-l2-1-0.dll", "imports": [ { "address": "0x5a104", "name": "CreateSymbolicLinkW" }, { "address": "0x5a108", "name": "GetFileInformationByHandleEx" }, { "address": "0x5a10c", "name": "MoveFileExW" }, { "address": "0x5a110", "name": "MoveFileWithProgressW" }, { "address": "0x5a114", "name": "CreateHardLinkW" } ] }, "api-ms-win-core-heap-l2-1-0": { "dll": "api-ms-win-core-heap-l2-1-0.dll", "imports": [ { "address": "0x5a144", "name": "GlobalFree" }, { "address": "0x5a148", "name": "GlobalAlloc" }, { "address": "0x5a14c", "name": "LocalFree" } ] }, "api-ms-win-core-io-l1-1-0": { "dll": "api-ms-win-core-io-l1-1-0.dll", "imports": [ { "address": "0x5a154", "name": "DeviceIoControl" } ] }, "api-ms-win-core-winrt-l1-1-0": { "dll": "api-ms-win-core-winrt-l1-1-0.dll", "imports": [ { "address": "0x5a2f8", "name": "RoInitialize" }, { "address": "0x5a2fc", "name": "RoUninitialize" } ] }, "api-ms-win-core-processtopology-l1-1-0": { "dll": "api-ms-win-core-processtopology-l1-1-0.dll", "imports": [ { "address": "0x5a228", "name": "GetThreadGroupAffinity" } ] }, "api-ms-win-core-synch-l1-2-0": { "dll": "api-ms-win-core-synch-l1-2-0.dll", "imports": [ { "address": "0x5a2b8", "name": "Sleep" } ] }, "api-ms-win-core-profile-l1-1-0": { "dll": "api-ms-win-core-profile-l1-1-0.dll", "imports": [ { "address": "0x5a238", "name": "QueryPerformanceCounter" } ] }, "api-ms-win-core-string-obsolete-l1-1-0": { "dll": "api-ms-win-core-string-obsolete-l1-1-0.dll", "imports": [ { "address": "0x5a270", "name": "lstrcmpW" }, { "address": "0x5a274", "name": "lstrcmpiW" } ] }, "api-ms-win-core-processtopology-obsolete-l1-1-0": { "dll": "api-ms-win-core-processtopology-obsolete-l1-1-0.dll", "imports": [ { "address": "0x5a230", "name": "SetProcessAffinityMask" } ] }, "api-ms-win-core-apiquery-l1-1-0": { "dll": "api-ms-win-core-apiquery-l1-1-0.dll", "imports": [ { "address": "0x5a000", "name": "ApiSetQueryApiSetPresence" } ] }, "api-ms-win-core-delayload-l1-1-1": { "dll": "api-ms-win-core-delayload-l1-1-1.dll", "imports": [ { "address": "0x5a074", "name": "ResolveDelayLoadedAPI" } ] }, "api-ms-win-core-delayload-l1-1-0": { "dll": "api-ms-win-core-delayload-l1-1-0.dll", "imports": [ { "address": "0x5a06c", "name": "DelayLoadFailureHook" } ] } }, "exported_dll_name": null, "exports": [], "dirents": [ { "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "virtual_address": "0x0004a4c8", "size": "0x000002f8" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "virtual_address": "0x0004e000", "size": "0x000084f8" }, { "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "virtual_address": "0x00057000", "size": "0x000025f0" }, { "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "virtual_address": "0x000035a0", "size": "0x00000054" }, { "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_TLS", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "virtual_address": "0x000015d0", "size": "0x000000ac" }, { "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IAT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "virtual_address": "0x0002cd9c", "size": "0x00000080" }, { "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "virtual_address": "0x00000000", "size": "0x00000000" } ], "sections": [ { "name": ".text", "raw_address": "0x00000400", "virtual_address": "0x00001000", "virtual_size": "0x0002d000", "size_of_data": "0x0002c000", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x60000020", "entropy": "6.54" }, { "name": ".data", "raw_address": "0x0002c400", "virtual_address": "0x0002e000", "virtual_size": "0x0001c000", "size_of_data": "0x00000200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "2.98" }, { "name": ".idata", "raw_address": "0x0002c600", "virtual_address": "0x0004a000", "virtual_size": "0x00003000", "size_of_data": "0x00002600", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "5.64" }, { "name": ".didat", "raw_address": "0x0002ec00", "virtual_address": "0x0004d000", "virtual_size": "0x00001000", "size_of_data": "0x00000200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "0.69" }, { "name": ".rsrc", "raw_address": "0x0002ee00", "virtual_address": "0x0004e000", "virtual_size": "0x00009000", "size_of_data": "0x00008600", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "4.36" }, { "name": ".reloc", "raw_address": "0x00037400", "virtual_address": "0x00057000", "virtual_size": "0x00003000", "size_of_data": "0x00002600", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "6.80" } ], "overlay": null, "resources": [ { "name": "MUI", "offset": "0x00056420", "size": "0x000000d8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.68" }, { "name": "RT_ICON", "offset": "0x0004e778", "size": "0x00000668", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.65" }, { "name": "RT_ICON", "offset": "0x0004ede0", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.44" }, { "name": "RT_ICON", "offset": "0x0004f0c8", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.17" }, { "name": "RT_ICON", "offset": "0x0004f1f0", "size": "0x00000ea8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.06" }, { "name": "RT_ICON", "offset": "0x00050098", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.07" }, { "name": "RT_ICON", "offset": "0x00050940", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "0.71" }, { "name": "RT_ICON", "offset": "0x00050ea8", "size": "0x0000169e", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "7.85" }, { "name": "RT_ICON", "offset": "0x00052548", "size": "0x000025a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.88" }, { "name": "RT_ICON", "offset": "0x00054af0", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.97" }, { "name": "RT_ICON", "offset": "0x00055b98", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.17" }, { "name": "RT_GROUP_ICON", "offset": "0x00056000", "size": "0x00000092", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.90" }, { "name": "RT_VERSION", "offset": "0x00056098", "size": "0x00000388", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.50" }, { "name": "RT_MANIFEST", "offset": "0x0004e350", "size": "0x00000426", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.00" } ], "versioninfo": [ { "name": "CompanyName", "value": "Microsoft Corporation" }, { "name": "FileDescription", "value": "Windows Command Processor" }, { "name": "FileVersion", "value": "10.0.19041.746 (WinBuild.160101.0800)" }, { "name": "InternalName", "value": "cmd" }, { "name": "LegalCopyright", "value": "© Microsoft Corporation. All rights reserved." }, { "name": "OriginalFilename", "value": "Cmd.Exe" }, { "name": "ProductName", "value": "Microsoft® Windows® Operating System" }, { "name": "ProductVersion", "value": "10.0.19041.746" }, { "name": "Translation", "value": "0x0409 0x04b0" } ], "imphash": "392b4d61b1d1dadc1f06444df258188a", "timestamp": "2102-04-20 00:53:43", "icon": "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAACp0lEQVR4nO2ZPW/TQByHH8cpUyWQ2NjKd+AjNK1U1ZGQkBjZYWNhQAIEUmFgKuwsSEhISElV0TeoVFUsnSLUgS6J2nRJA0mTpknss8OQ2thN3Z7Tl5ORH+lyf/sud7+fz3e+OJCQkBBrNIDnL2ceaZo2q1qMDJ1O+/HMqxfvAAvopQE0TZu9e+++MlHvP+QAePgge+bxl8+f3gIfgRpgpq9a7Em4QmWPgetAC78BPZWiUS2f2Vkv+BG5/Hidftav2/PlbvJz89ZtN0wDKTfon0nrzLx+868TXwMnxbLJcZyB2M2FENi2jRACy7K83DRN2u02nU4Hy7I8TT9/lQYuRir0MsUEz8Dx4YoLp45APp8nn8+Hli8sLFy4oKiEGsjlchiGgWEYzM3Neefn5+cD9RYXFy9PnQRSc2B6etqLp6amvHhychKApaWlC5Ylz7kn8cTEBADLy8vnFjMMUgZOu4UAMpkMACsrKxckSx7vOXB8Ecpms94EDruF/IyPjwdGYXV1NbTT0dFRAG/Nd9F1HV3XA88LaQPVWmOg0DCMMxsAME2TWq3G2NgYzWaTRqOBpmlS3/Vj2za2bYeWV37vD5wbei/UbDapVCrs7e1Rr9eHbebcRDIghGBnZ4dSqcTh4eFlaYqElIGDgwOKxSK7u7sIIS5bUyRONSCEYGtri2KxKDWhVOBbhYLLULlcZnNzk263e+WiojAwAo7jUCgU2N7eVqEnMgEDpmmysbFBtVpVpScyngHH6bG2tkar1VKpJzLeVkLYduzEw//0iyyuJAZUkxhQTWJANYkB1cTeQGA3+u1HQZWOoUkD7NfrmfXvX9W9XovAs6dP7gBdQMDRf2TACHDjKI2oEBaBLvAHaAC2a0CjPxrXAF2RMFkEfRPhL5ASEhLiw1+s5V9Z8HnusgAAAABJRU5ErkJggg==", "icon_hash": "00d152c1523e56c619d25f6c96c21a41", "icon_fuzzy": "e55641fba39eaff4ee89e5fc0af8f337", "icon_dhash": "a2ae7a370101a3c0", "imported_dll_count": 37 }, "data": null, "strings": [ "7!8,8L8q8{8", "*taf;M", "D$(PQ", "D$xPj", "lext-ms-win-cmd-util-l1-1-0", "DISABLEEXTENSIONS", ": :&:N:m:", "NtQueryInformationProcess", ": :.:G:M:S:Z:`:k:r:", "2Q2W2]2c2h2n2", "60666:6G6U6k6u6", "_ultoa", "5G5U5b5", "GetFullPathNameW", "696^6", "COLOR", "interrupted", "0$0,040<0D0L0T0X0\\0`0d0h0l0p0t0x0|0", " %x %c", "f;D$(u", " &()[]{}^=;!%'+,`~", "=W>]>", ".bss$00", ";-&?.?D?L?i?s?", "GetModuleFileNameA", "GetCurrentProcessId", "?+?v?", ".CRT$XCU", "api-ms-win-core-synch-l1-2-0.dll", "connection_refused", "CMD Internal Error %s", "9Q9y9", "MKLINK", "permission_denied", "ASSOC", "CloseHandle", "=c>p>", "9):B:Q:", "Redir: ", "001>1N1p1u1", "=\"=F=J=N=R=V=Z=^=b=f=j=", "LegalCopyright", "GetCommandLineW", "ext-ms-win-branding-winbrand-l1-1-1", "D$,SPQ", "0\"1R1", "\\XCOPY.EXE", "PQQQV", "4'5A5", ".CRT$XIZ", " 1?9?", "0!1q1", "CMDEXTVERSION", "QQVWj", "j\"Yf;", "%hs(%u)\\%hs!%p: ", "VPj!S", "HH:mm:ss t", "NtFsControlFile", ";Q;p;x;", "no such device or address", "f98u]", "SetUnhandledExceptionFilter", "ScrollConsoleScreenBufferW", ":X:l:", "E$uwM", "j-Zj/Yf;", ".rdata$sxdata", "_wcsnicmp", "destination_address_required", "api-ms-win-core-timezone-l1-1-0.dll", "WaitForSingleObject", "t#h4&", "rmdir ", "D$D;D$,", "9\"949F9M9U9[9n9u9", "WWWSQ", "9*:P:}:", "@PVVWSQ", "HeapSetInformation", "@$9Q w", "ext-ms-win-shell-shell32-l1-2-3", "GetWindowsDirectoryW", ">3>C>X?u?", "1%1+1P1l1}1", "BrandingFormatString", "QRRRP", "171p1", "GetFileInformationByHandleEx", "iH4-N", "u)Rh7#", ":):R:", "u3SSh,<", "\\$0SP", "SetLocalTime", "7$8,8;8C8K8p8v8}8", "1j1o1", "9t$$~n", "7&7-7=7S7Z7f7}7", "api-ms-win-core-heap-l1-1-0.dll", "3c4p4", "1 1&1C1~1", "Null environment", "8.8X8", " ", "PSh[#", ".didat$3", "?Y?s?", "?Q?X?", "2$3/3:3H3p3", "ResumeThread", "VirtualAlloc", "VVVVR", "BELOWNORMAL", "read only file system", "api-ms-win-security-base-l1-1-0.dll", "2$2,242<2D2L2T2\\2d2l2t2|2", "no_protocol_option", "304g4", "not_connected", "", " uiAccess=\"false\"", "no link", ".text$mn", ")030`0", "1e1j1", "3-3;3I3", "7<7^7", "Se%ae`", "8>E>", "no lock available", "DebugBreak", "??1type_info@@UAE@XZ", "SVWj/Xf", "6!6'6-636=6L6R6Z6y6~6", ">!>D>L>", "6 6W6", "\\CMD.EXE", "result out of range", "RMDIR", "CreateProcessW", "cCBR_p", "889=9C9I9o9x9", "COPYCMD", ".text", "TryAcquireSRWLockExclusive", ">i?y?", "j\\Yf9", "wrong_protocol_type", "Y__^[", "XXX8Pvh8v", "SetFilePointer", "3!3H3O3Z3b3n3", "NEWWINDOW", "9#989P9^9b9i9o9", "SetErrorMode", "7 7*7;7E7S7]7j7r7", "api-ms-win-core-registry-l1-1-0.dll", "api-ms-win-core-handle-l1-1-0.dll", "4*414?4F4T4[4", "pushd ", "?Q?V?m?", "fprintf", "NTDLL.DLL", "1'141>1L1a1", "j:Xf9F", "ReadFile", "api-ms-win-core-profile-l1-1-0.dll", "j Xf9DN", "6@6`6", "7]8i8v8", ".CRT$XIY", "3%3X3}3", "too many files open", "SetConsoleCursorPosition", "3%4}4", "SetCurrentDirectoryW", "_lock", "8&888", "yy/MM/dd", "L$xQ3", "(%s) %s ", "[%hs]", "<$=,=<=R=Z=j=~=", "CMD.EXE", "api-ms-win-core-systemtopology-l1-1-0.dll", "PUSHD", "8S8Y8", "3_3s3", "connection_aborted", "L$8RQRP", "_wcsicmp", " /D /c\"", "LoadLibraryExW", "SetFilePointerEx", "_exit", "WGeToken: (%x) '%s'", "939A9H9{9", ";,;:;", ".idata", "is a directory", "connection_already_in_progress", "RegDeleteValueW", "3ntdll.dll", "RtlDosPathNameToRelativeNtPathName_U_WithStatus", "t5j Y", ": ;&;D;", "4$4.464B4J4X4`4", "t$0j ", "6H7R7f7v7}7", "EnableExtensions", "_errno", "C0K0Q0W0j0{0", ";Q0r0", "000H0h0", "wwwwwwww", "8'8.8H8", "VirtualQuery", "4r6}6", "949P9V9`9f9s9w9", "D$ PW", "7E8O8", "CMDCMDLINE", "TerminateProcess", "DelayLoadFailureHook", "0_0h0", "file too large", "D$PSV", "dd/MM/yy", "", "j\\^f9q", ".rsrc$02", "wwwwwwwwp", "0 0$0(0,0004080@0", "AutoRun", "=/=G=z=", "GetStdHandle", "041=1O1X1", "SHARED", "PAUSE", "3)515", "%s %s ", "owner dead", "se%%%%% R", "%02d%s%02d%s%02d", "HeapSize", "31383", "ERASE", "wcstol", "_setjmp3", "9#9+9C9[9b9}9", "='=5=C=T=\\=r=z=", "NtQueryInformationToken", "", "GetSystemTime", ".data$zz", ".bss$zz", "=8=X=t=x=", "GetLocalTime", "GetConsoleTitleW", "VCShv#", "argument out of domain", "T$$9T$", "*0L0w0", ":$;4;", "??1exception@@UAE@XZ", "ENDLOCAL", "rEj=Xf9", "91:K:\\:", "inappropriate io control operation", "wcsrchr", ".CRT$XIAA", "filename too long", "connection aborted", "SetProcessAffinityMask", "WNetAddConnection2WStub", "iWWSQ", "GetTickCount", "GetDiskFreeSpaceExW", ".idata$3", "uCj\\Z", "O>\\>", "executable format error", "j\\Zf9", ".didat$6", "5Y5z5", "_callnewh", "Windows Command Processor", "I8SV3", "no such file or directory", "j\"Xf9", "qsort", ".CRT$XCAA", "9n9z9", "; ;&;+;1;7;K;V;[;a;g;", "D$H9D$D", ".text$zs", "CallContext:[%hs] ", ";O;^;v;};", "api-ms-win-core-string-obsolete-l1-1-0.dll", "VarFileInfo", "WaitForSingleObjectEx", ".rdata$brc", "wcsstr", "MultiByteToWideChar", "t5PPQh", "api-ms-win-core-libraryloader-l1-2-0.dll", "_tell", ".text$np", "929O9U9f9{9F:", "__p__commode", "t$Sh4&", "ProductVersion", "ENABLEEXTENSIONS", "@PVVWS", ">+>>>B>F>J>N>R>V>Z>^>b>u>", "RoInitialize", "FTYPE", "Vj/Xf", "CreateSemaphoreExW", "", "QPh,\"", "u)Rh8#", "2!2'2W2w2", "5\"5'5.565F5", "YY[_3", "__dllonexit", "tBj0Y", "device or resource busy", "not_a_socket", "Msg:[%ws] ", "344D4P4Y4a4", "OutputDebugStringW", "PATHEXT", "465Y5s5", "", "PU,//", ">*?H?N?i?n?s?", "delims=", "j\"ZRV", "PWhl;", "<'5R5", "7,7H7", "_onexit", "7C8]8", "ext-ms-win-branding-winbrand-l1-1-0.dll", "!This program cannot be run in DOS mode.", ".00cfg", "D$8f90", ";@", "60676C6Y6a6h6{6", "eIDATx", "_getch", ".rsrc", "_CxxThrowException", "CompletionChar", " Operating System", "REM /?", ".rdata$00$brc", "NtQueryVolumeInformationFile", "uBSWR", ".data$r$brc", "Translation", "already_connected", "GlobalAlloc", "0;0m0", "T$$;T$", "function not supported", "lstrcmpW", " v,PW", "wrong protocol type", ":#:(:8:n:{:", ".didat$2", "GetLastError", "3*353B3P3Z3d3n3x3", "HeapReAlloc", "?what@exception@@UBEPBDXZ", "<;", "_close", ".didat$4", ":2:C:q:", "useback", "\\Shell\\Open\\Command", "VQRPS", "srand", "t$ t%S", "=A=W=^=g=", "api-ms-win-core-processenvironment-l1-1-0.dll", "GetExitCodeProcess", "6\"6(6,6?6D6U6s6y6", "fflush", "{~WPh", "GetDriveTypeW", "D$`PV", "313D3", "040904B0", "no message", "already connected", "GetSystemTimeAsFileTime", "FileTimeToSystemTime", "?\"?d?p?x?", "SetConsoleTitleW", ".gljmp", "[%hs(%hs)]", ":(:,:@:D:X:\\:", "bad_address", "ShellExecuteWorker", ";4;L;`;d;x;|;", "3*3/3y3", " version=\"5.1.0.0\"", "VPh@:", "j/Yf;", "api-ms-win-core-apiquery-l1-1-0.dll", "91:;:L:`:j:{:", "Vj ^S", "<0W0b0f0r0v0", "5u6~6", "cmd.pdb", "address not available", "D$hP3", "en-US", "ctff;", "?$?+???I?{?", "D$`;D$d", "realloc", "LeaveCriticalSection", "1.13191E1J1P1i1", "ntdll.dll", "ReleaseSRWLockShared", "protocol not supported", ".gfids", "no message available", ">)>4>H>", "j\\^f91", "j\\Xf;", "iostream", "uqj?Z", "D3blc", "5F5N5", "5 5.5<5J5", "6,7E7M7", "2$2_2e2l2", "+C F;C w", ".rsrc$01", "connection_reset", "t+Vh5#", "_cexit", "REALTIME", "L$8Q3", "4<4l4t4z4", "j.Yf;", "3$3,343<3D3L3T3\\3d3l3t3|3", "?*?E?K?", "Windows Command Processor", "D$dPS", "3H4`4o4", " processorArchitecture=\"x86\"", "LogHr", "T$ WP", "D$,SVW", ">2>X>e>t>", "GetFileAttributesExW", "`.data", "ext-ms-win-shell-shell32-l1-2-0", "SVWj,", "D$ Ph", "VS_VERSION_INFO", "Software\\Classes", "FindFirstStreamWStub", "1$131<1E1Z1o1~1", "n9?R?d?", ".CRT$XCZ", "GetModuleHandleW", ":f;w;", "WSh!'", "SVWQQj", "api-ms-win-core-kernel32-legacy-l1-1-0.dll", "Software\\Policies\\Microsoft\\Windows\\System", ".data$pr00", "Ungetting: '%s'", "],//cuu", "bad allocation", "CShu#", "3>P>b>", "Microsoft Corporation", "; ;%;9;>;X;", "8#9(9U9p9|9", ".didat$5", "GetFileSize", "CreateMutexExW", "??0exception@@QAE@ABQBDH@Z", "ReadConsoleW", "IDI_APPICON", "operation canceled", "QueryFullProcessImageNameWStub", "tokens=", "ext-ms-win-shell-shell32-l1-2-0.dll", "<$<8<<<@", "RegOpenKeyExW", ".?AVout_of_range@std@@", "939S9d9~9", "f;T$8u", "=O={=", "0X1]1q1", "F8^f90u", "RegSetValueExW", "4'40474>4Y4c4l4v4", "__CxxFrameHandler3", "959U9", "090?0H0T0", "0f;2u f", "ext-ms-win-branding-winbrand-l1-1-2", "u&QWS", "5@6^657T7r7", "NtClose", "not a stream", ">*>t>{>", "??0exception@@QAE@ABV0@@Z", "()|&=,;\"", "REM/?", "tDSSSS", "VSh\\#", "4Y4,5b5E6", "CompareFileTime", "j\\Xf9B", "api-ms-win-core-console-l1-1-0.dll", "api-ms-win-core-processenvironment-l1-2-0.dll", "SetConsoleCtrlHandler", "state not recoverable", "file exists", "Software\\Microsoft\\Command Processor", "ReleaseSemaphore", "network_unreachable", "CopyFileExW", "<5<=C>Z>o>", "_except_handler4_common", "skip=", "6?6I6Y6e6", "SEPARATE", "7$7*767=7I7Q7^7z7", "api-ms-win-core-sysinfo-l1-1-0.dll", "7D7U7[7a7|7", "tEht&", "%2d%s%02d%s%02d%s%02d", ".rdata$zz$brc", "Exception", ";';-;V;g;m;", "invalid_argument", "wwwwwwwwwwwwwwwwwwwww", "<3=t=", "memcmp", "PShT>", "GetTimeFormatW", "`j/Yf;", "(caller: %p) ", ">_^[]", "3#4L4", "GetLocaleInfoW", "j\\Xf9", ">x?}?", "NeedCurrentDirectoryForExePathW", ".didat$7", "j-[f;", "RWhl;", ".?AVlength_error@std@@", "=>=I=N=", "QShc#", "<\"=1=C=", "resource unavailable try again", "RtlCreateUnicodeStringFromAsciiz", "2&3t3", "CreateProcessAsUserW", "2)202T2e2k2", "cmd.exe", "1B1N1i1t1", "4qaCCRCCCB", "address in use", "", "GetCPInfo", "CmdBatNotificationStub", "21262>2", "j$Xf;", "FileTimeToLocalFileTime", "_amsg_exit", "lstrcmpiW", "towlower", "fgets", ";b", "VtPh(#", "StringFileInfo", ";';9;I;O;q;", "D$$9L$", "wcschr", ";\\$(r", "X8F8U8a8l8", "9+919C9H9N9S9Y9d9j9q9v9{9", "%hs!%p: ", "1W1^1", ".CRT$XIA", "_setmode", "string too long", "0+1b1", "D$4Pj", "5G5i5", "mkdir ", "O8R8X8^8p8", "", " true", "_pipe", "SetEndOfFile", "j\\Yf;", ";>+?9?~?", "ext-ms-win-shell-shell32-l1-2-2", "j\"[f;", "RegCreateKeyExW", "%WINDOWS_COPYRIGHT%", "7 848v8{8Q9v9", "Cmd.Exe", "j=XPV", "YjWYf+", ";/;c;", "SSSSQ", ".didat", " true", "*tr;]", "api-ms-win-core-string-l1-1-0.dll", "=L>h>", "2/2f2o2y2", "destination address required", "1>>>V>l>", "'j:Xj.f", "address_in_use", "%02d%s%02d%s", "no child process", "SetConsoleTextAttribute", "0Ph4:", "api-ms-win-core-errorhandling-l1-1-0.dll", "RevertToSelf", "WideCharToMultiByte", "OpenThread", "IsDebuggerPresent", "L$(t:", "operation_not_supported", "72898E8P8e8", "<\"<'<7<", "NtOpenThreadToken", "j=Xf9", "445(6B6k6r6", "SystemTimeToFileTime", "j:Yf9H", "RtlDisownModuleHeapAllocation", "j:Xf;", "|$$f9", "OpenSemaphoreW", "_unlock", "/w(t`", "@Qm6t", "<>+-*/%()|^&=,", "connection refused", "YjDYf;", "ReturnHr", "4h4t4", "longjmp", ".rdata", "=ExitCodeAscii", "MoveFileExW", ">F>^>s>", "WNetGetConnectionWStub", "1D2d2z2", "4$4,444<4D4L4T4\\4d4l4t4|4", "", "5%6+616K6U6a6l6~6", "*)))))))))))))))))))))", "_dup2", "NtOpenFile", "LookupAccountSidWStub", "operation_in_progress", "N8WQj", "operation would block", " ", "Software\\Microsoft\\Windows NT\\CurrentVersion", "f;D$d", "CopyFileW", "%hs(%d) tid(%x) %08X %ws", "9E9S9", "=.=?=L=Z=r={=", "EnterCriticalSection", "host_unreachable", "RtlDosPathNameToNtPathName_U", "Args: `%s' ", "727Y7", "invalid seek", "t;f9;t6", "_wtol", "text file busy", " ", "4]4e4", "SWhl;", "no space on device", "GetNumaNodeProcessorMaskEx", "131w1W3]3z3", "RtlNtStatusToDosError", "u\"j:Xf9F", "GetFileType", "j Yf9", "6-7@7T7", "=ExitCode", "illegal byte sequence", "SSSSP", "ExpandEnvironmentStringsW", "iswalpha", "ReadProcessMemory", "j:Xf9A", "6)60676V6}6", "CSVFS", "D$(PV", " Windows", "GetVolumeInformationW", "Microsoft", "7c7u7", "1#1*1", " type=\"win32\"", "L$,RQh", "wcsspn", "prRRRPa", "???l?y?", ">Q>_>t>{>", "j\\Xj*f9DK", "7H8e8", "tef93t`", "iswdigit", "j:Xf9", "u4h4'", "5.5=5J5V5", "CompanyName", "RRRRP%", "D$&PVj", ";$;-;5;T;Z;", "2 2&2-222=2m2s2", "broken pipe", "_local_unwind4", "operation_would_block", "5(5<5V5]5~5", "f;D$8u", "8/8Q8", "v", "@.reloc", "setlocale", "ReleaseMutex", "DISABLEDELAYEDEXPANSION", "ERRORLEVEL", "jDXP3", "v2Z2v2", "Unknown", " \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"", "api-ms-win-core-memory-l1-1-0.dll", "PPPQPPVV", "j.Xf9", "9*989]9l9", ".text$x", "4#4F4", ".idata$6", "msvcrt.dll", "9s:z:", "swscanf", "_XcptFilter", "RoUninitialize", "w>", "4)4G4", "api-ms-win-core-processthreads-l1-1-0.dll", "", "80848H8L8`8d8x8|8", "D$|QP", "SetThreadUILanguage", ":-:I:Q:X:c:l:", "=)>A>", "?Rich", "network_reset", "RtlFreeUnicodeString", "u#Sh)'", "tbhX ", "?C?H?P?o?", "not a socket", "?=?h?o?z?", "GlobalFree", "1i1r1|1", "RWRVh", "SaferWorker", "GetConsoleOutputCP", "QQSVW", "0,090", ":X:b:t:", "5;5B5j5", "4_5p5~5", "80J0f0u0", "708[8" ], "virustotal": { "error": true, "msg": "Unable to complete connection to VirusTotal. Status code: 429" }, "executed_tools": [ "msi_extract", "overlay", "kixtart_extract", "vbe_extract", "batch_extract", "UnAutoIt_extract", "UPX_unpack", "RarSFX_extract", "Inno_extract", "SevenZip_unpack", "de4dot_deobfuscate", "eziriz_deobfuscate", "office_one" ], "cape_type_code": 1, "cape_type": "", "process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "process_name": "cmd.exe", "module_path": "C:\\Windows\\SysWOW64\\cmd.exe", "pid": 2144 }, { "name": "2dcf5c2511d637876e9187cd2de67e372bd8f1c2f13ef79dfa110ba47df26ef4", "path": "/opt/CAPEv2/storage/analyses/95/procdump/2dcf5c2511d637876e9187cd2de67e372bd8f1c2f13ef79dfa110ba47df26ef4", "guest_paths": "1;?C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe;?C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe;?", "size": 118784, "crc32": "5014FEEB", "md5": "ee0f5fd51ef3d77b65cf6689c02cb8e3", "sha1": "ceb2ac16d8da3ff74cede6307156cb7ad40d3cd9", "sha256": "2dcf5c2511d637876e9187cd2de67e372bd8f1c2f13ef79dfa110ba47df26ef4", "sha512": "7a8da71341e582995f08771120a618f9f70f6ba368304f1af4763b8bf3b565c9124d06e827a7c51419428026a1315a506a11dd5760cf7c418178e1231810fea0", "rh_hash": null, "ssdeep": "3072:IdBuXaFllOQXbk+pj+TiddURolFbnHrZs91krsWAB:I72aFl3XbPj+unLMkrsZB", "type": "PE32 executable (GUI) Intel 80386, for MS Windows", "yara": [ { "name": "INDICATOR_EXE_Packed_aPLib", "meta": { "description": "Detects executables packed with aPLib.", "author": "ditekSHen" }, "strings": [ "{ 41 50 33 32 18 00 00 00 E4 41 00 00 D9 1E 80 0E 00 7E 00 00 E3 50 DE 1E 4D 38 5A 90 }", "{ 41 50 33 32 18 00 00 00 9C 53 00 00 0E 34 40 EA 00 BE 00 00 6B BA 10 7E 4D 38 5A 90 }", "{ 41 50 33 32 18 00 00 00 71 AF 00 00 CF 9E A0 D2 A0 5C 01 00 62 01 E2 A2 4D 38 5A 90 }" ], "addresses": { "header": 61760 } } ], "cape_yara": [], "clamav": [], "tlsh": "T1EFC3F1217BF06075E2F14AB5FEB9663196ABF51A0336C20F0F104A060D7EB8649BD727", "sha3_384": "9b4bc7b9877785ff36c471162faa92d6a14a05a8002bf487c5ba117c33131f8786a9bb64527e3415f6f11cbd2410a64c", "yara_hash": "68e243d1d9aeb1f1e94057af9823c58e140832514ed3e7b46b181bf94e4e12ce", "options_hash": "b7818797508282994ea72592ded64b364725c9400a38d418189579c94a89385e", "pe": { "guest_signers": { "aux_sha1": null, "aux_timestamp": null, "aux_valid": false, "aux_error": true, "aux_error_desc": "File not found: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\95\\invoice_231836298371.exe", "aux_signers": [] }, "digital_signers": [], "imagebase": "0x00400000", "entrypoint": "0x00001e65", "ep_bytes": "535657ff15446040000fb7c033ff576a", "peid_signatures": null, "reported_checksum": "0x00000000", "actual_checksum": "0x000294b6", "osversion": "5.0", "machine_type": "IMAGE_FILE_MACHINE_I386", "pdbpath": null, "imports": { "ntdll": { "dll": "ntdll.dll", "imports": [ { "address": "0x4060cc", "name": "ZwFsControlFile" }, { "address": "0x4060d0", "name": "ZwQueryDirectoryFile" }, { "address": "0x4060d4", "name": "RtlIpv4StringToAddressA" }, { "address": "0x4060d8", "name": "ZwGetContextThread" }, { "address": "0x4060dc", "name": "RtlExitUserThread" }, { "address": "0x4060e0", "name": "ZwWriteVirtualMemory" }, { "address": "0x4060e4", "name": "ZwSetInformationFile" }, { "address": "0x4060e8", "name": "ZwTerminateThread" }, { "address": "0x4060ec", "name": "ZwResumeThread" }, { "address": "0x4060f0", "name": "RtlInterlockedPushEntrySList" }, { "address": "0x4060f4", "name": "RtlInterlockedPopEntrySList" }, { "address": "0x4060f8", "name": "RtlNtStatusToDosError" }, { "address": "0x4060fc", "name": "ZwQuerySystemInformation" }, { "address": "0x406100", "name": "ZwAdjustPrivilegesToken" }, { "address": "0x406104", "name": "ZwOpenThreadTokenEx" }, { "address": "0x406108", "name": "ZwTerminateProcess" }, { "address": "0x40610c", "name": "ZwOpenThread" }, { "address": "0x406110", "name": "RtlExpandEnvironmentStrings_U" }, { "address": "0x406114", "name": "ZwQueryValueKey" }, { "address": "0x406118", "name": "ZwOpenKey" }, { "address": "0x40611c", "name": "RtlPrefixUnicodeString" }, { "address": "0x406120", "name": "RtlGetCurrentPeb" }, { "address": "0x406124", "name": "RtlTimeToSecondsSince1980" }, { "address": "0x406128", "name": "ZwCreateEvent" }, { "address": "0x40612c", "name": "ZwOpenEvent" }, { "address": "0x406130", "name": "wcschr" }, { "address": "0x406134", "name": "ZwQueryEaFile" }, { "address": "0x406138", "name": "RtlDosPathNameToNtPathName_U" }, { "address": "0x40613c", "name": "LdrFindEntryForAddress" }, { "address": "0x406140", "name": "ZwAlertThread" }, { "address": "0x406144", "name": "ZwWaitForSingleObject" }, { "address": "0x406148", "name": "ZwDelayExecution" }, { "address": "0x40614c", "name": "ZwOpenProcess" }, { "address": "0x406150", "name": "RtlEqualUnicodeString" }, { "address": "0x406154", "name": "ZwDeleteValueKey" }, { "address": "0x406158", "name": "ZwDeleteKey" }, { "address": "0x40615c", "name": "ZwEnumerateKey" }, { "address": "0x406160", "name": "ZwQueryKey" }, { "address": "0x406164", "name": "ZwDuplicateObject" }, { "address": "0x406168", "name": "RtlComputeCrc32" }, { "address": "0x40616c", "name": "memset" }, { "address": "0x406170", "name": "ZwUnmapViewOfSection" }, { "address": "0x406174", "name": "ZwMapViewOfSection" }, { "address": "0x406178", "name": "ZwCreateSection" }, { "address": "0x40617c", "name": "ZwQueryInformationFile" }, { "address": "0x406180", "name": "ZwImpersonateThread" }, { "address": "0x406184", "name": "ZwWriteFile" }, { "address": "0x406188", "name": "RtlRandomEx" }, { "address": "0x40618c", "name": "ZwQueryInformationProcess" }, { "address": "0x406190", "name": "ZwQueryInformationToken" }, { "address": "0x406194", "name": "ZwOpenProcessToken" }, { "address": "0x406198", "name": "ZwQueryVolumeInformationFile" }, { "address": "0x40619c", "name": "ZwOpenFile" }, { "address": "0x4061a0", "name": "memcpy" }, { "address": "0x4061a4", "name": "wcscpy" }, { "address": "0x4061a8", "name": "ZwSetSecurityObject" }, { "address": "0x4061ac", "name": "RtlAdjustPrivilege" }, { "address": "0x4061b0", "name": "ZwCreateFile" }, { "address": "0x4061b4", "name": "RtlFreeUnicodeString" }, { "address": "0x4061b8", "name": "ZwClose" }, { "address": "0x4061bc", "name": "wcslen" }, { "address": "0x4061c0", "name": "ZwSetValueKey" }, { "address": "0x4061c4", "name": "RtlInitUnicodeString" }, { "address": "0x4061c8", "name": "ZwCreateKey" }, { "address": "0x4061cc", "name": "swprintf" }, { "address": "0x4061d0", "name": "ZwSetContextThread" }, { "address": "0x4061d4", "name": "RtlFormatCurrentUserKeyPath" } ] }, "KERNEL32": { "dll": "KERNEL32.dll", "imports": [ { "address": "0x406040", "name": "LocalFree" }, { "address": "0x406044", "name": "GetVersion" }, { "address": "0x406048", "name": "LocalAlloc" }, { "address": "0x40604c", "name": "CreateTimerQueueTimer" }, { "address": "0x406050", "name": "DeleteTimerQueueTimer" }, { "address": "0x406054", "name": "GetLastError" }, { "address": "0x406058", "name": "BindIoCompletionCallback" }, { "address": "0x40605c", "name": "CreateProcessW" }, { "address": "0x406060", "name": "GetSystemTimeAsFileTime" }, { "address": "0x406064", "name": "DisableThreadLibraryCalls" }, { "address": "0x406068", "name": "ExitThread" }, { "address": "0x40606c", "name": "Sleep" }, { "address": "0x406070", "name": "GetCommandLineW" }, { "address": "0x406074", "name": "CreateThread" }, { "address": "0x406078", "name": "ExitProcess" }, { "address": "0x40607c", "name": "GetModuleHandleW" }, { "address": "0x406080", "name": "GetProcAddress" }, { "address": "0x406084", "name": "VirtualProtect" }, { "address": "0x406088", "name": "GetTickCount" } ] }, "WS2_32": { "dll": "WS2_32.dll", "imports": [ { "address": "0x406098", "name": "WSASendTo" }, { "address": "0x40609c", "name": "setsockopt" }, { "address": "0x4060a0", "name": "WSASend" }, { "address": "0x4060a4", "name": "WSARecv" }, { "address": "0x4060a8", "name": "WSAIoctl" }, { "address": "0x4060ac", "name": "bind" }, { "address": "0x4060b0", "name": "closesocket" }, { "address": "0x4060b4", "name": "WSAGetLastError" }, { "address": "0x4060b8", "name": "WSASocketW" }, { "address": "0x4060bc", "name": "WSACleanup" }, { "address": "0x4060c0", "name": "WSAStartup" }, { "address": "0x4060c4", "name": "WSARecvFrom" } ] }, "ADVAPI32": { "dll": "ADVAPI32.dll", "imports": [ { "address": "0x406000", "name": "StartServiceCtrlDispatcherW" }, { "address": "0x406004", "name": "OpenSCManagerW" }, { "address": "0x406008", "name": "CloseServiceHandle" }, { "address": "0x40600c", "name": "DeleteService" }, { "address": "0x406010", "name": "ChangeServiceConfigW" }, { "address": "0x406014", "name": "ControlService" }, { "address": "0x406018", "name": "OpenServiceW" }, { "address": "0x40601c", "name": "MD5Init" }, { "address": "0x406020", "name": "RegisterServiceCtrlHandlerExW" }, { "address": "0x406024", "name": "SetServiceStatus" }, { "address": "0x406028", "name": "CryptReleaseContext" }, { "address": "0x40602c", "name": "CryptGenRandom" }, { "address": "0x406030", "name": "CryptAcquireContextW" }, { "address": "0x406034", "name": "MD5Final" }, { "address": "0x406038", "name": "MD5Update" } ] }, "SHELL32": { "dll": "SHELL32.dll", "imports": [ { "address": "0x406090", "name": "ShellExecuteExW" } ] } }, "exported_dll_name": "30598-0-v3.exe", "exports": [ { "address": "0x41d5c0", "name": "AlphaBlend", "ordinal": 1 }, { "address": "0x41d5e9", "name": "GradientFill", "ordinal": 2 }, { "address": "0x41d616", "name": "TransparentBlt", "ordinal": 3 } ], "dirents": [ { "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "virtual_address": "0x0001d560", "size": "0x000000d6" }, { "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "virtual_address": "0x0001caa0", "size": "0x00000078" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "virtual_address": "0x0001f000", "size": "0x000001e0" }, { "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "virtual_address": "0x00020000", "size": "0x00000450" }, { "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_TLS", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IAT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "virtual_address": "0x00000000", "size": "0x00000000" } ], "sections": [ { "name": ".text", "raw_address": "0x00000400", "virtual_address": "0x00001000", "virtual_size": "0x00005000", "size_of_data": "0x00004800", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x60000020", "entropy": "6.52" }, { "name": ".rdata", "raw_address": "0x00004c00", "virtual_address": "0x00006000", "virtual_size": "0x00018000", "size_of_data": "0x00017800", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "7.84" }, { "name": ".data", "raw_address": "0x0001c400", "virtual_address": "0x0001e000", "virtual_size": "0x00001000", "size_of_data": "0x00000400", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "1.52" }, { "name": ".rsrc", "raw_address": "0x0001c800", "virtual_address": "0x0001f000", "virtual_size": "0x00001000", "size_of_data": "0x00000200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "4.70" }, { "name": ".reloc", "raw_address": "0x0001ca00", "virtual_address": "0x00020000", "virtual_size": "0x00001000", "size_of_data": "0x00000600", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "5.42" } ], "overlay": null, "resources": [ { "name": "RT_MANIFEST", "offset": "0x0001f060", "size": "0x0000017a", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.93" } ], "versioninfo": [], "imphash": "d3b197f8d7c3a6c1451cdd9039d5ed2a", "timestamp": "2013-11-25 15:34:01", "icon": null, "icon_hash": null, "icon_fuzzy": null, "icon_dhash": null, "imported_dll_count": 5 }, "data": null, "strings": [ ".>#|E^@)", "bd2V/", "2s;$hy", "F.!'d{r", "", "9r$t@vFxbzk|p~{~", "ds4%j", "ZwGetContextThread", "ZwQueryEaFile", "SVWAT.", "PVVVWj", "ongjm", "GetLastError", "OfE?/", "ExitThread", "$#sqH", "ZwOpenKey", "j4\\Z ", "Vc32.", "QB5t(", "RemoteAccess", "ltG m", " \\pb_si\"yvi0", "RtlInterlockedPopEntrySList", "CreateThread", "*\"8DP`", "ZwCreateSection", "\"S'ap", "RtlCreateUserThread", "fk)p!MrZ", ";[}< ", "8/u2#", "H~axd", " {EOAc", "pdg?eN", "ZztaG", "uf4.//", "/yp`Xqu", "{Z Op6Fi", "*pp[g#", ",9;NB", "RQMD&H", "L1gR\"C", "system32\\msimg32.TransparentBlt", "*!cpy", "/BK%^%", "_;rwt", " t@6n76K", "*p(bw", "WSAIoctl", "r~46xX", "d bys", "{bU,|", "Google Update Service (gupdate)", "~p@3j", "1980qXJ~", "`.rdat", "L$*@#", " ", "A\\registry\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\", "%wZ\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "OpenServiceW", "\"p8E2", "LocalFree", "|pvU9$", "5&5;5I5Q5Y5a5i5q5y5", "$IH7R", "ePA^A\\_^]", ":a@; -", "eC$i8\\-H", "3\"\\.1", "8E0>P", "3KB9C0", "AABBf", "iEn.p", "t5f9)", "VVVVW", "3;p}2T", "GetTickCount", "\\9R>8", "IR)4m", "memcpy", "M4V)K", "]{t\"3", " uIIce", "\"C`KQ", "GetSystemTimeAsFileTime", "PrF9*", "system32\\msimg32.GradientFill", "ZwQueryInformationProcess", "+:$Bf", "7Y uN", "url6h\"", "LdrProcessRelocationBlock", ",DH3p", "$(JHuo", "C7R&l", "dNY2!", "#!N\\{*", "Macromedxi", "A\\??\\%08x", "t-CC<", "k0 7G", "1Xv^j", "L$09N", "$>C~K+", "=send", "-/&$f", "ZwOpenThreadTokenEx", "pW]r}", "AlphaBlend", ",1 c#", "ZwSetValueKey", "GoogleUpdate.exe", "\"BLk/$d", "proggam", "a}Mle", "OSLDUp", "9G:];", "WSASendTo", "Lf*vw/", "7ToWlK", "DiJ0H", "FAsul+", "G 5%u", "sPy M", "}Vhdisc3", "nDm\"l", "Connection: close", "AMSASCui.exe", "+NR u", "fH6Q>fO", "nzg{V", "0HCvV", "!_KN<", "=r7tBv", "RtlInitAnsiString", "Z0T@ `", "ZwAdjustPrivilegesToken", "MD5Init", "Ta;XD", ",E2HPdf", "9%vYpDa", "2 2*242>2M2S2\\2e2t2", "2d!wF", "qkW,%b", "e0A_A^A]A\\_^]", "ZwTerminateThread", "\\registry\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "GetCommandLineW", "VhoJL", "}n{WJ", "b<$v8!", "ZwSetSecurityObject", "fixUn", "_A@}a", "CAVB -F", "MD5Final", "b>|>", "f:!tma", "%wZ\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "ru$SM", "}$C,3h", "Windows Defender", "lD('M", ";;", "'6GTgo", "fuLPD", "So'ZB", "+%D@i", "t%v>M", " !8F\\Ify", "]k!qy", "6T6p6v6", "CreateTimerQueueTimer", "A\\??\\%s\\", "0SVW3", "2P!SQ", "Ff#WL", "53*I\\", "\\BaseNamedObjects\\Restricted\\{A3D35150-6823-4462-8C6E-7417FF841D77}", "V E)v2", "SetServiceStatus", "AMicrosoft Base Cryptographic Provider v1.0", "GoogleDesktopManager-010708-104812", "_zj1.", "ADVAPI32.dll", "hF(!Wx", "puHj>", "D$0E3", "runas", "he:igC7|J", ")UPV!y3!", "A\\registry\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\explorer\\ShellServiceObjects\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}", ",SVW3", "ntdll.dll", "(cbBu(", "sT^Q ,", "(.y`;*m+", "7+7C7", "QechFTHX", "o`U!M", "|hGxg", "E)B. B0C", "Desktop", "R@G;~", "u2 5pD`", "%@xiL", "Phc5u\\", "", "\\InstallFlashPlayer.exe", " fQh5L", "Rj[gr", "v3M)PbW,9", "V/\\_S>", ",93?:m;~<", "a.F\\@", "This ", "b:ZKW^$sva3", "88w*P4[td", "!yQ(i)", "ShellExecuteExW", "RtlPrefixUnicodeString", "(BBjU", "'TrmJ", "B\"\"pC", "JxDVR", "\"20", "F\"l^^", "ZwWriteFile", "S}-*+", "Q\"UDEY", "}3Yh.4o", "{H8$+", "D>\\6h", "@~XpK", "^:J&^", "ZwOpenEvent", "-rN#3", "IcCv", "\\5/CH", "1%1Y1p1", "ALocalSystem", "@explorer.exe", "TAqC&", "tvux|", "R)#uP", "AImagePath", "ne6Zu", "!KB(8*O", "cu8&O", ")B8!oL", "pp9pApBQC", "ZwCreateKey", "8`}|L", "RtlFormatCurrentUserKeyPath", "u9V_4", "Glc]@m", "hShsend", "s5`4(", "aX3{f", "MF0dd", "ZwOpenThread", "t8TBt", "RegisterServiceCtrlHandlerExW", "sFn?", ";ljmp", "i|SwRf", "bY&,w", "6)$wPI", "UJEnW^(X", "en&lK", "}dO|0", ",B&h#VxVi%mP|", "FKdX:", "0SN+C", "ip.1]VE", "e5U@fG", "y3Jgn=p", "p+:$B", "4_T 4", "(Ll%A", "pHpJaPV", "AProgramFiles=", " :@;P<", "VAh<9", "DeleteService", "DeleteTimerQueueTimer", "ZwQueryKey", "QaVnX", "(@G=|HI", "j,%`R", "!CiuQ", "E9X[?j", "r0dF8", "ExitProcess", " ", "| WWWh@", "\"P`Ax8,;", "97wXTW", "Mu-\\>\\", "8E\\,P", "PWSh$", "Rich8!", "V0&Ux(", "SHEqL", "ZwOpenProcessToken", "ZwDelayExecution", "GradientFill", "\\msimg32.dll", "Up|~eH", "PWSh8", "%t\\P)XP", "Keeps your Google software up to date. If this service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This service uninstalls itself when there is no Google software using it.", "D)IBV`wSP", "GetModuleHandleW", "3aJ>sIw!@yNc", "8)%?-", "wIHDa", "a (W)", "\\E!`z", "ceTor", "8;D", "DisableThreadLibraryCalls", "A\\??\\ACPI#PNP0303#2&da1a3ff&0", "jC_<@x", "'*G8g?", ".rdat(", "|V8\"lp", ":22d_U", "\"po,L", "`#h@w", "ZwSetContextThread", "j5\\Z ", "VYjD0", "b;K+1i0\"", "PcaSvc", "ZwDeleteValueKey", "I'?kdd", "]NiEP", "918:L;Ya", "u&jF3 P", "T#:D&>", "iphlpsvc", "wU#[ ", "uTz32", "$dl$n", "Amsseces.exe", "\\BaseNamedObjects\\{81D05F9A-5343-439f-ACAB-E7822E4416F9}", ">m~vK1", "l$ eL", "pl[z%", ".yl04j", "-Thi(vr]", "}tJ(b8*", "ybkg[q`y", "AProgramW6432=", "0n7AV", "\", &h#", "ZwWaitForSingleObject", ";ha5h", "RtlExpandEnvironmentStrings_U", ".$l4FH", "Ga`jx", "8UPh6 {L", "r;7t+", "lLh!=P", "IvW2.ar", "_MX|P", ",r>9T", "Gw(", ":$THn", "wcscpy", "Dkf 9", "UPVE/", "PWWj j", "@ k@(s", "1F8![", "8PLEU", "!e(<]", "\"F0uf8", ";9", "Wj@\\h", "*8j4Nmb6P", "k\"s(|", "WSASocketW", "\"uXZP", "D0fnAV", ":;:G:", "PK$`%(", "S}PA0", "Op }P", "c$YHO", "d[Q|9", "K~]E>", "Qkkbal", "i_*).N", " ", "NT_PjR0", " X.vp", "^AX(W", "Lteg$8", "fc!da", "4", ">P>a>f>t>", "#Ccx0", "tiX3_", "nhcnct3", "4n'xG", "ANisSrv.exe", "|YVVj", "hJuD;M", "@UVWATAVH", "VC20X", "AErrorControl", "|\"`DLB", "system32\\msimg32.AlphaBlend", "4-4;4`4f4", "\\systemroot", "PolicyAgent", "\"q?", "N\"", "4'404l4", "HdLc8", " ", "a Afv", "j.maxmind.com", "24J1P", " ", "%[I4o", "kH-'d6L", "\\systemroot\\system32\\config", "soA cR", "%Zo1F5", "6#XDV", "Mv1m;Y", "DxQ~u", "+vP]+v", "Rqb:OK", "rFB\\b", "H,2hJ!", ":D.", "SHELL32.dll", "WSARecvFrom", "S-T\".GF", "[RhVKe", "c54<-", "#Sq-v%9Vx", "E(1", "l{8dP", "$ND3j", "o+@# ", "2<3\\4`4d4h4l4p4t4x4|4", "AQAPRQH", "A\\BaseNamedObjects\\Restricted\\{A3D35150-6823-4462-8C6E-7417FF841D78}", "*T\"]~", "Install", ")l6}Ds", "aS Af", "Dz%^_", ";Iu]\"", "`Rt1!Z", "^ vRp", "wcslen", "mqy 5", "/6jDb", "LgANG", "Q\"=B%%", "|UVh(", "~P~Z~d~n~x", "\\registry\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinDefend", "WSARecv", "rPa%hW\\", "PSSSSS", "re'cvIzh!", "8MIMs>q", "1-191Y1y1", "3*363@3d3", "=Ak94Qu_4", "@UVWATAUAVAWH", "MzoiuZF", "RtlIpv4StringToAddressA", "+vPp,v", "Y5tAnr|hD", "0.090A0[0", "j% Uy`", "YYj\"Xf", "zhph ", "D75I;", "CC!L-", "%N_;Z", ",tS!P", "=cnctt^=recvt", "", "B6@p7", "l0e,G", "\"V9j $", ";7$C:", "YZ0)3", "Fo;ld", "XBu8%C", "t\";DEO", "wZ#C ", "mode.", "Bl)2N", "ljmpt", "^$-na", "t@HuB", "KE9RN", "@.reloc", "M>ngEA", ",6='FGMg[", "PPPPPPPPj", "h0+{Q% ", "MD5Update", "C1l\"\\", "$G$H6 ", "ceqsJR", "3rBtevlx", "&tAus", "\"6s:O", " \\rph", "RtlInterlockedPushEntrySList", "8081,2", "swprintf", "_Notify;Ic", "Google Update", "D3$'s", "BindIoCompletionCallback", "P9yUY", "l QlZ", "wn>Jj", "N;sAPw", "t&\\xw", "'&:fb", "\\PzVdQ!", "G@UVJr", "ZwClose", "ZwDeleteKey", "2tAvM", "KTVq#", "(YZAXAY", "FBCeG", "8?8O8d8i8", "ChangeServiceConfigW", "fixUnEc", "O!vu8z", ">'>j>y>", "`.rdata", "}PJ@o", "RFDXjv", "0_QJ+", "2+RIEx1", "ControlService", "UQPXY]", "vU%wf", "gG8J-lx", "=disc", "I+[|<", "CryptReleaseContext", "@Vc3^2", "KERNEL32.dll", "; <%<+<2<>ee4", "tg+Ed", "d|YL9", "QClo0", ":RU{P%", "wcschr", "9)9C9n9", "8b8i8", "94GK]", "*g8D`\"h'U", "\"(D", ">\">/>=>G>Q>[>e>o>y>", "TCe programme d", "CreateDIBSection", "0123456789ABCDEF", "BrokerDelayScreensaverWWd", "CreateThread", "~FlashBrokerImp4W", "t!Vht", "GetTempFileNameW", "RegCloseKey", "czenie z Internetem i spr", "GetDC", "InternalName", "PostMessageW", " Player Installer/Uninstaller 11.0", "[0Y0W0U", "N$+F,", "VeriSign, Inc.1+0)", "QRPh|", "secure@macromedia.com1", "Une erreur est survenue lors du t", ")Instalator programu Adobe", "CodeSignRootCert", "FlashInstall.log", "6c6y6", "internetu, a zkuste to znovu.", " conectado ", ";BrokerLMLaunchWW", "0 040H0\\0", "p_searchPath", "Ah?$A", "p_dataWW", "broker", "p_realmW", "5Instala", " Player ^ Installer", " Player", "BrokerLcdDispatchMessage", "k igen", "12272", "LocalFree", "4pk);", "BrokerLcdPruneDeadMessageWWW", "Msimg32.dll", "Det intr", "GetExitCodeProcess", "CreateCompatibleBitmap", "]r}", " Player Installer/Uninstaller 11.0 r1", "jdX9Ch~", "pl_sgn.z", "5#5'5+5/535S5", "/Installatieprogramma van Adobe", " 0$0,1014181<1@1D1H1L1P1T1X1\\1`1d1", "skiparpentry", " Player Installer", "hp_oldFileNameWWW", "%VeriSign Class 3 Code Signing 2010 CA0", "CryptGetMessageCertificates", "Adobe Flash Player ^ ", "8/8k8", "$Adobe Flash Playe", "=7=B=", "CloseHandle", "DeleteDC", "FreeSid", "Macromed", "ShowWindow", "installation endommag", "LegalCopyright", "GetCommandLineW", "Adobe", ":0806", "PostfixCommandLine", "Conectando...", "p_ftCreationTimeHiWW", "+BrokerLcdLockWWW", "GetSidSubAuthorityCount", "Western Cape1", "FileDescription", "@9NPtO", "GetThreadLocale", "GetVersionExA", "PX9T$", "Adobe Systems Incorporated0", "HeapFree", "LoadLibraryA", "hem stahov", "FlashBroker ", "InternetOpenW", "czenie...", "90705", "!Adobe", "_zj1.", "031204000000Z", "ADVAPI32.dll", "runas", "An unknown error has occurred.", "essayer", "^;-jbJi", "Riprova", "VeriSignMPKI-2-80", "040904b0", "p_moveMethod", "San Jose1#0!", "1Archivo de instalaci", "Repetir", "VarFileInfo", "Verificando...", "QQVWj", "GetProcAddress", "5(5A5U5i5}5", "PSSSSSS", "<<>", " Player ^ Y", "Durbanville1", "RaiseException", "1Installationsprogramm f", "letim sisteminizle uyumlu de", " Player Installer/Uninstaller", "GetEnvironmentVariableW", "BrokerPrefDeleteFlashPlayerVersionWW", "BrokerFindCloseW", "051L1h1y1", ">$?T?", "vel com o sistema operacional.", "!yQ(i)", "t(Ht!Ht", "ShellExecuteExW", "BrokerSaveDialog", "SetTimer", "DispatchMessageW", "jBrokerWriteFileW", "ybkg[``", " Player ^", ",~;Kj", "BrokerCreateDirectoryWWW", "t#h@w", "utilExeFilenameAX", "e0c0$", "ProductVersion", "p_findCookie", "GetKeyState", "-Er heeft zich een onbekende fout voorgedaan.", "Ht{Ht", "200207235959Z0", "YY_^[", "IFlashBroker4WWW", "MapWindowPoints", "DBrokerLcdGetMessageTargetWWW", "DestroyWindow", "7:8?8", "QueueUserAPC", "OpenProcessToken", "Sh+B,V+", "Qh5L@", ")p_truncateOnOpen", "playerFilenameAX", "u t@QQ", "WaitForSingleObject", "p_ftLastWriteTimeHiW", "GetWindowRect", "NQuesto programma di installazione non ", "Sprawdzanie poprawno", "CertVerifySubjectCertificateContext", "OD0n0", "BrokerLcdFindConnectionFormatWWW", "kernel32", "NpFileNameWWW", "https://www.verisign.com/rpa0", "OriginalFilename", "Shell32.dll", "strong", "QQSV3", "kleyici bozuk. L", "BrokerMarkFileUnsafe", "j7_QQ", "SetForegroundWindow", "Mt_^3", "IFlashBroker", "Gp_newFileNameWWW", "m opera", "z;T0S", "VS_VERSION_INFO", "Controleren", "Flash", "GetCurrentProcess", "p_fileVersionMSW", "CreateFontA", "SetWaitableTimer", "<+<^<", "p_ftLastAccessTimeHi", "sp_string", "110923233535Z0#", " Internet", "OutputDebugStringW", "Thawte1", "ecrypt32.dll", "1A2I2R2", "AllocateAndInitializeSid", "MoveWindow", "R>", "vBrokerLMOpenDownload", "GetTokenInformation", "RegisterClassExW", "<:Programma di installazione danneggiato. Scaricatelo di nuovo.", "vW0f0O0`0U0D0", "%VeriSign Class 3 Code Signing 2010 CA", "150613010142Z0", "WriteFile", "p_fileAttrsW", "installation d", "7,7C7", "ExitProcess", "SizeofResource", "p_realmToSeekWWW", "(NtS*", "GetClientRect", "TSA2048-1-530", "http://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_", "~FlashBrokerImp2W", "qyBrokerRemoveDirectoryWWW", "SetBkMode", ";!;=;b;j;x;", "1(c) 2006 VeriSign, Inc. - For authorized use only1E0C", "InvalidateRect", "RemoveDirectoryW", "6$7,7i7", "7U7w7", "p_filePathWW", "Arial", "SetTextColor", "JcEG.k", "8 9*979O9^9", "GetModuleHandleW", "\"http://crl.verisign.com/tss-ca.crl0", "Flash Player", "installation. V", "Verifying...", "DefWindowProcW", "Connexion en cours...", "{FEC7EF28-53E7-4f06-8F56-FA6D670C8D3C}", "0L04x", "r installationsprogrammet skulle h", ";wTt SW", "tes connect", "HeapAlloc", "070615000000Z", "120614235959Z0\\1", "TranslateMessage", "BrokerDeleteFile", "update", "chargez-le ", "0Installatieprogramma van Adobe", "ProductName", "?8?I?a?u?", "p_format", "WWWWW", ";Ten instalator nie jest zgodny z tym systemem operacyjnym.", "http://ocsp.verisign.com0;", "FoVe.@", "LocalAlloc", "c'`L0B0", " v<9]", "tZHtSHtLHuTj4", "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AllowProtectedRenames", "Verbinding maken...", " program aplikace Adobe", "4)434I4", "LegalTrademarks", " kompatibiln", "atl.dll", "te, zda jste p", "~kBrokerLcdMessageTimeoutW", "GetProcessHeap", "LoadResource", "mta det igen.", "InternetConnectW", "IsWow64Process", "p_refURL", "SetWindowTextW", " chyb", "2;3G3]3", "11,0,1,152", "SSVhoL@", "UINT_PTR", "Retry", "GDI32.dll", "ShellExecuteW", "p_dirNameWWW", " 1996-2011 Adobe, Inc.", " Player Y", "3p_realmToAdd", "\"Une erreur inconnue est survenue.", "ho programu do", "GetSystemDirectoryW", "-uninstall plugin", "AdobeFlashPlayerInstaller", "p_lockTimeWW", "VeriSign, Inc.1402", "CertCreateCertificateContext", "=This installer is not compatible with your operating system.", "GetFileSize", "LoadStringW", "rulan", "MessageBoxW", "GetSidSubAuthority", "r Adobe", "5Programma di installazione di Adobe", "#http://logo.verisign.com/vslogo.gif04", "4N4W4o4y4", "dW0f0D0~0Y0", "9.959u9", "USER32.dll", "tu. L", "6%606Z6", "CreateSolidBrush", "p_numReadWWW", ";De Installer is niet compatibel met het besturingssysteem.", "lo k chyb", "HttpQueryInfoW", "Flash Player Seed/3.0", "MoveFileExW", "SetWindowLongW", "BeginPaint", "!This program cannot be run in DOS mode.", "+Instalator programu Adobe", "t$$WV", "lo k nezn", "p_ftCreationTimeLoWW", "Fp_resultCode", "p_timeoutWWW", "FreeResource", "BrokerSetFilePointer", "p_fileCookie", "kozen", "CreateDirectoryW", "FindResourceA", " compat", "bPodczas pobierania instalatora wyst", "BrokerLcdTryAddConnectionWWW", "?7!Op1", "r inte kompatibelt med operativsystemet.", ";.;7;G;W;~<", "ax_sgn.z", "CEste programa de instalaci", "Opnieuw", "BitBlt", "p_ftLastWriteTimeLoW", "SYSTEM\\CurrentControlSet\\Control\\Session Manager", "rifiez que vous ", "RegServer", "-0+0)", "HBrokerPrefSetExceptionDialogSize", "CreateWindowExW", "kBrokerLcdRemoveConnectionWWW", "p_widthW", " nieznany b", "p_chosenFilePath", "GetParent", "0L0zv", ";#;:;", "(Ein unbekannter Fehler ist aufgetreten.", "RegSetValueExW", "G8J-l", "1:2_2", "Verifica...", "6)666C6P6]6j6w6", ".text", "Mincho", "FlashBrokerLibWW", "CertFreeCertificateContext", "100208000000Z", "2Programme d", "=O====== ", "9%:l:", "Reintentar", "chargement du programme d", " nouveau.", "GetSystemWow64DirectoryW", "#http://crl.verisign.com/pca3-g5.crl04", "Connecting...", "2Terms of use at https://www.verisign.com/rpa (c)101.0,", "GetWindow", "image/gif0!0", "SetFilePointer", "@k / ", "Z0X03", "FX@YYt", "#Adobe", "Wininet.dll", "rification en cours...", "Kontrollerar...", "ncpFilename", "1)1:4A4", "NativeCache", "SSSSP", "*Instalador corrompido. Baixe-o novamente.", "e Adobe", "California1", "kleyici, i", "0Archivo de instalaci", "p_numWritten", "0 0(0,0004080<0@0D0H0L0P0T0X0`0d0h0p0t0x0|0", "Hui8]", "NBrokerReadFileWW", "InstallFlashPlayer.exe", " Flash", "DeleteFileW", "0Installationsprogramm f", " Internet, puis r", "ado. Vuelva a descargarlo.", "bOcorreu um erro ao baixar o instalador. Verifique se est", "playerFilenamePL", "F Sj<", "DrawTextW", "ReadFile", "US1$0\"", "x4J#P,", "SHELL32.dll", " program je po", "BrokerLMUpdateDownloadWW", "HTTP/1.0", "1=1J1", "7K8h8", "force", "FlashBroker", "Yeniden Dene", ">Programme d", "yor...", "http://ocsp.verisign.com0", "&Se ha producido un error desconocido.", "-uninstall activex", "~FlashBrokerImp3W ", ">El programa de instalaci", "CodeSignLogFile", "HttpOpenRequestW", "BrokerLcdLockTimeWWW", "FlashUtil.exe", "VeriSign, Inc.1", "Created by MIDL version 7.00.0500 at Fri Sep 23 16:20:29 2011", "4Programma di installazione di Adobe", "BrokerFindNextFileWW", ">(>I>c>", "\"Vp_applicationNameWWW", "installation n", "fen...", "stdole2.tlbWWW", "ffade ett fel n", "PostQuitMessage", "CompanyName", "/http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D", "player", "GetWindowLongW", "p_senderSwfVersionWW", ",SVWQQ", "p_refCountWW", ">F>R>w?~?", "SelectObject", "EndPaint", "QBrokerCloseHandleWWW", "_Bf|v", "Th4'd", "p_ftLastAccessTimeLo", "ML_^3", "CreateCompatibleDC", "embedding", "Morpheme.pdb", "n a Internet y vuelva a intentarlo.", "BrokerPrefGetAndDeleteFlashPlayerVersion", "l0BrokerPrefGetExceptionDialogSize", "p_height", "0(040<0g0y0", "0http://crl.verisign.com/ThawteTimestampingCA.crl0", "0g0S1", "%Instalador do Adobe", "@.reloc", "est pas compatible avec votre syst", "Mingliu", "n no se admite en su sistema operativo.", "/Installationsprogram f", "Connessione...", "CheckTokenMembership", "BrokerFindFirstFileW", "YBrokerLcdGetMessageDataW", "bdBrokerPrefMarkAutoUpdaterForRunW", "101215000000Z", "ReleaseMutex", "Adobe Systems Incorporated1", "https://www.verisign.com/cps0*", " Player ", "xJ1c5", "Zkusit znovu", "Bilinmeyen bir hata olu", ">[?c?i?n?", "=(=2=<=F=P=Z=d=n=x=", "/c del \"", "Ett ok", "IFlashBroker3WWW,", "LDieses Installationsprogramm ist mit Ihrem Betriebssystem nicht kompatibel.", "5Digital ID Class 3 - Microsoft Software Validation v21#0!", "\"VeriSign Time Stamping Services CA0", "BrokerLcdUnlockW", "SetCapture", "joey32", "ap_newPositionWWW", "Adobe Systems, Inc.", "\"VeriSign Time Stamping Services CA", "Ap_nFileSizeLoWWW", "CreateMutexW", "0~0[0", "WWWWj", "activex", "2VCK\\z", "Copyright ", "p_posWWW", "?jp_msgFormatVersionWW", "=j;m>6", "0W0f0O0`0U0D0", "AllowProtectedRenames", "0Installationsprogram f", "$Instalador do Adobe", "buj ponownie.", "tfen yeniden indirin.", "d. Sprawd", "`.rdata", "ComSpec", "GTento instala", "BrokerLMGetVersionWW", "Beim Herunterladen des Installationsprogramms ist ein Fehler aufgetreten. Stellen Sie sicher, dass eine Internetverbindung besteht, und versuchen Sie es erneut.", "p_sourceURLW", "r ansluten till Internet och f", "0-Nk0", "KERNEL32.dll", "exploitation.", "9NLtc;", "050615010142Z", "SetWindowPos", "BrokerLcdClearMessageWWW", "p_lenWWW", " Player ^ ", "@SVW3", "131203235959Z0S1", "StringFileInfo", "p_expectedMsgFormatW", "Advapi32.dll", "-uninstall", "FileVersion", "181L1Y1o1v1>3", "lBUTTON", "?'?:?", " program p", "k igen.", "HHt.Ht%Ht", "utilExeFilenamePL", "000C0J0", "I:p_urlWWW", "6(:=:_;w;", "1Instala", "#BrokerCreateFile", "Wiederholen", "@@Cf9", "yAn error has occurred while downloading the installer. Please make sure you are connected to the internet and try again.", " Internet e tente novamente.", "AtlAxWinInit", "LockResource", "M/11.0.1.152", "ipojov", "=1>Q>", " verificato un errore sconosciuto.", "Ocorreu um erro desconhecido.", "p_hwndWW", "plugin", "Ansluter...", "p_lpwstrInitialFileNameW", "FillRect", "=X====== ", "tfen internet ba", " kontrol edip yeniden deneyin.", "SetCursor", "HttpSendRequestW", "]_cOW", "CertFindCertificateInStore", "GetTextExtentExPointW", "JDet h", "Information Systems1>0<", "FindResourceW", "121214235959Z0", "Flash Player0", "+VeriSign Time Stamping Services Signer - G20", "\" >> NUL", "mms.cfg", "m syst", "dwFlagsW", "ci...", "kleyicisi", " SVWh", "0o0J0", ".rsrc", "/http://csc3-2010-aia.verisign.com/CSC3-2010.cer0", "=0;09", " instala", "GetForegroundWindow", "1Programme d", "BrokerLMIsRunningWWWd", "nt fel har intr", "#|E^@)", "bd2V/", "2s;$hy", "F.!'d{r", "", "9r$t@vFxbzk|p~{~", "ds4%j", "ZwGetContextThread", "ZwQueryEaFile", "SVWAT.", "PVVVWj", "ongjm", "GetLastError", "OfE?/", "ExitThread", "$#sqH", "ZwOpenKey", "j4\\Z ", "Vc32.", "QB5t(", "RemoteAccess", "ltG m", " \\pb_si\"yvi0", "RtlInterlockedPopEntrySList", "CreateThread", "*\"8DP`", "ZwCreateSection", "\"S'ap", "RtlCreateUserThread", "fk)p!MrZ", ";[}< ", "8/u2#", "H~axd", " {EOAc", "pdg?eN", "ZztaG", "uf4.//", "/yp`Xqu", "{Z Op6Fi", "*pp[g#", ",9;NB", "RQMD&H", "L1gR\"C", "system32\\msimg32.TransparentBlt", "*!cpy", "/BK%^%", "_;rwt", " t@6n76K", "*p(bw", "WSAIoctl", "r~46xX", "d bys", "{bU,|", "Google Update Service (gupdate)", "~p@3j", "1980qXJ~", "`.rdat", "L$*@#", " ", "A\\registry\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\", "%wZ\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "OpenServiceW", "\"p8E2", "LocalFree", "|pvU9$", "5&5;5I5Q5Y5a5i5q5y5", "$IH7R", "ePA^A\\_^]", ":a@; -", "eC$i8\\-H", "3\"\\.1", "8E0>P", "3KB9C0", "AABBf", "iEn.p", "t5f9)", "VVVVW", "3;p}2T", "GetTickCount", "\\9R>8", "IR)4m", "memcpy", "M4V)K", "]{t\"3", " uIIce", "\"C`KQ", "GetSystemTimeAsFileTime", "PrF9*", "system32\\msimg32.GradientFill", "ZwQueryInformationProcess", "+:$Bf", "7Y uN", "url6h\"", "LdrProcessRelocationBlock", ",DH3p", "$(JHuo", "C7R&l", "dNY2!", "#!N\\{*", "Macromedxi", "A\\??\\%08x", "t-CC<", "k0 7G", "1Xv^j", "L$09N", "$>C~K+", "=send", "-/&$f", "ZwOpenThreadTokenEx", "pW]r}", "AlphaBlend", ",1 c#", "ZwSetValueKey", "GoogleUpdate.exe", "\"BLk/$d", "proggam", "a}Mle", "OSLDUp", "9G:];", "WSASendTo", "Lf*vw/", "7ToWlK", "DiJ0H", "FAsul+", "G 5%u", "sPy M", "}Vhdisc3", "nDm\"l", "Connection: close", "AMSASCui.exe", "+NR u", "fH6Q>fO", "nzg{V", "0HCvV", "!_KN<", "=r7tBv", "RtlInitAnsiString", "Z0T@ `", "ZwAdjustPrivilegesToken", "MD5Init", "Ta;XD", ",E2HPdf", "9%vYpDa", "2 2*242>2M2S2\\2e2t2", "2d!wF", "qkW,%b", "e0A_A^A]A\\_^]", "ZwTerminateThread", "\\registry\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "GetCommandLineW", "VhoJL", "}n{WJ", "b<$v8!", "ZwSetSecurityObject", "fixUn", "_A@}a", "CAVB -F", "MD5Final", "b>|>", "f:!tma", "%wZ\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "ru$SM", "}$C,3h", "Windows Defender", "lD('M", ";;", "'6GTgo", "fuLPD", "So'ZB", "+%D@i", "t%v>M", " !8F\\Ify", "]k!qy", "6T6p6v6", "CreateTimerQueueTimer", "A\\??\\%s\\", "0SVW3", "2P!SQ", "Ff#WL", "53*I\\", "\\BaseNamedObjects\\Restricted\\{A3D35150-6823-4462-8C6E-7417FF841D77}", "V E)v2", "SetServiceStatus", "AMicrosoft Base Cryptographic Provider v1.0", "GoogleDesktopManager-010708-104812", "_zj1.", "ADVAPI32.dll", "hF(!Wx", "puHj>", "D$0E3", "runas", "he:igC7|J", ")UPV!y3!", "A\\registry\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\explorer\\ShellServiceObjects\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}", ",SVW3", "ntdll.dll", "(cbBu(", "sT^Q ,", "(.y`;*m+", "7+7C7", "QechFTHX", "o`U!M", "|hGxg", "E)B. B0C", "Desktop", "R@G;~", "u2 5pD`", "%@xiL", "Phc5u\\", "", "\\InstallFlashPlayer.exe", " fQh5L", "Rj[gr", "v3M)PbW,9", "V/\\_S>", ",93?:m;~<", "a.F\\@", "This ", "b:ZKW^$sva3", "88w*P4[td", "!yQ(i)", "ShellExecuteExW", "RtlPrefixUnicodeString", "(BBjU", "'TrmJ", "B\"\"pC", "JxDVR", "\"20", "F\"l^^", "ZwWriteFile", "S}-*+", "Q\"UDEY", "}3Yh.4o", "{H8$+", "D>\\6h", "@~XpK", "^:J&^", "ZwOpenEvent", "-rN#3", "IcCv", "\\5/CH", "1%1Y1p1", "ALocalSystem", "@explorer.exe", "TAqC&", "tvux|", "R)#uP", "AImagePath", "ne6Zu", "!KB(8*O", "cu8&O", ")B8!oL", "pp9pApBQC", "ZwCreateKey", "8`}|L", "RtlFormatCurrentUserKeyPath", "u9V_4", "Glc]@m", "hShsend", "s5`4(", "aX3{f", "MF0dd", "ZwOpenThread", "t8TBt", "RegisterServiceCtrlHandlerExW", "sFn?", ";ljmp", "i|SwRf", "bY&,w", "6)$wPI", "UJEnW^(X", "en&lK", "}dO|0", ",B&h#VxVi%mP|", "FKdX:", "0SN+C", "ip.1]VE", "e5U@fG", "y3Jgn=p", "p+:$B", "4_T 4", "(Ll%A", "pHpJaPV", "AProgramFiles=", " :@;P<", "VAh<9", "DeleteService", "DeleteTimerQueueTimer", "ZwQueryKey", "QaVnX", "(@G=|HI", "j,%`R", "!CiuQ", "E9X[?j", "r0dF8", "ExitProcess", " ", "| WWWh@", "\"P`Ax8,;", "97wXTW", "Mu-\\>\\", "8E\\,P", "PWSh$", "Rich8!", "V0&Ux(", "SHEqL", "ZwOpenProcessToken", "ZwDelayExecution", "GradientFill", "\\msimg32.dll", "Up|~eH", "PWSh8", "%t\\P)XP", "Keeps your Google software up to date. If this service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This service uninstalls itself when there is no Google software using it.", "D)IBV`wSP", "GetModuleHandleW", "3aJ>sIw!@yNc", "8)%?-", "wIHDa", "a (W)", "\\E!`z", "ceTor", "8;D", "DisableThreadLibraryCalls", "A\\??\\ACPI#PNP0303#2&da1a3ff&0", "jC_<@x", "'*G8g?", ".rdat(", "|V8\"lp", ":22d_U", "\"po,L", "`#h@w", "ZwSetContextThread", "j5\\Z ", "VYjD0", "b;K+1i0\"", "PcaSvc", "ZwDeleteValueKey", "I'?kdd", "]NiEP", "918:L;Ya", "u&jF3 P", "T#:D&>", "iphlpsvc", "wU#[ ", "uTz32", "$dl$n", "Amsseces.exe", "\\BaseNamedObjects\\{81D05F9A-5343-439f-ACAB-E7822E4416F9}", ">m~vK1", "l$ eL", "pl[z%", ".yl04j", "-Thi(vr]", "}tJ(b8*", "ybkg[q`y", "AProgramW6432=", "0n7AV", "\", &h#", "ZwWaitForSingleObject", ";ha5h", "RtlExpandEnvironmentStrings_U", ".$l4FH", "Ga`jx", "8UPh6 {L", "r;7t+", "lLh!=P", "IvW2.ar", "_MX|P", ",r>9T", "Gw(", ":$THn", "wcscpy", "Dkf 9", "UPVE/", "PWWj j", "@ k@(s", "1F8![", "8PLEU", "!e(<]", "\"F0uf8", ";9", "Wj@\\h", "*8j4Nmb6P", "k\"s(|", "WSASocketW", "\"uXZP", "D0fnAV", ":;:G:", "PK$`%(", "S}PA0", "Op }P", "c$YHO", "d[Q|9", "K~]E>", "Qkkbal", "i_*).N", " ", "NT_PjR0", " X.vp", "^AX(W", "Lteg$8", "fc!da", "4", ">P>a>f>t>", "#Ccx0", "tiX3_", "nhcnct3", "4n'xG", "ANisSrv.exe", "|YVVj", "hJuD;M", "@UVWATAVH", "VC20X", "AErrorControl", "|\"`DLB", "system32\\msimg32.AlphaBlend", "4-4;4`4f4", "\\systemroot", "PolicyAgent", "\"q?", "N\"", "4'404l4", "HdLc8", " ", "a Afv", "j.maxmind.com", "24J1P", " ", "%[I4o", "kH-'d6L", "\\systemroot\\system32\\config", "soA cR", "%Zo1F5", "6#XDV", "Mv1m;Y", "DxQ~u", "+vP]+v", "Rqb:OK", "rFB\\b", "H,2hJ!", ":D.", "SHELL32.dll", "WSARecvFrom", "S-T\".GF", "[RhVKe", "c54<-", "#Sq-v%9Vx", "E(1", "l{8dP", "$ND3j", "o+@# ", "2<3\\4`4d4h4l4p4t4x4|4", "AQAPRQH", "A\\BaseNamedObjects\\Restricted\\{A3D35150-6823-4462-8C6E-7417FF841D78}", "*T\"]~", "Install", ")l6}Ds", "aS Af", "Dz%^_", ";Iu]\"", "`Rt1!Z", "^ vRp", "wcslen", "mqy 5", "/6jDb", "LgANG", "Q\"=B%%", "|UVh(", "~P~Z~d~n~x", "\\registry\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinDefend", "WSARecv", "rPa%hW\\", "PSSSSS", "re'cvIzh!", "8MIMs>q", "1-191Y1y1", "3*363@3d3", "=Ak94Qu_4", "@UVWATAUAVAWH", "MzoiuZF", "RtlIpv4StringToAddressA", "+vPp,v", "Y5tAnr|hD", "0.090A0[0", "j% Uy`", "YYj\"Xf", "zhph ", "D75I;", "CC!L-", "%N_;Z", ",tS!P", "=cnctt^=recvt", "", "B6@p7", "l0e,G", "\"V9j $", ";7$C:", "YZ0)3", "Fo;ld", "XBu8%C", "t\";DEO", "wZ#C ", "mode.", "Bl)2N", "ljmpt", "^$-na", "t@HuB", "KE9RN", "@.reloc", "M>ngEA", ",6='FGMg[", "PPPPPPPPj", "h0+{Q% ", "MD5Update", "C1l\"\\", "$G$H6 ", "ceqsJR", "3rBtevlx", "&tAus", "\"6s:O", " \\rph", "RtlInterlockedPushEntrySList", "8081,2", "swprintf", "_Notify;Ic", "Google Update", "D3$'s", "BindIoCompletionCallback", "P9yUY", "l QlZ", "wn>Jj", "N;sAPw", "t&\\xw", "'&:fb", "\\PzVdQ!", "G@UVJr", "ZwClose", "ZwDeleteKey", "2tAvM", "KTVq#", "(YZAXAY", "FBCeG", "8?8O8d8i8", "ChangeServiceConfigW", "fixUnEc", "O!vu8z", ">'>j>y>", "`.rdata", "}PJ@o", "RFDXjv", "0_QJ+", "2+RIEx1", "ControlService", "UQPXY]", "vU%wf", "gG8J-lx", "=disc", "I+[|<", "CryptReleaseContext", "@Vc3^2", "KERNEL32.dll", "; <%<+<2<>ee4", "tg+Ed", "d|YL9", "QClo0", ":RU{P%", "wcschr", "9)9C9n9", "8b8i8", "94GK]", "*g8D`\"h'U", "\"(D2i2n2|2", "", "EnumClipboardFormats", "OIUigAQfhF7ryLy4FbZ/eYt2KZ[bzlgQtMxNbm6JeIQhbCykvwfAMt2ZoJh4sI{j,zu9b+J", "FreeLibrary", "KatsDoreOmerBetsKoraKeef", "tl&#l&#l&#l&#l&#", "<0", "060P0V0", "6&6+6J6O6W6q6", "u|-gzJ", "SHLWAPI.PathMakePrettyA", "9L$ s", "GetConsoleAliasExesLengthW", "j %dT", "O", "373=3E3]3", "RemsSlaySoreAnoaaxalbuffusesemeuMapsyogaHangLoud", "6+6<6A6R6e6k6y6", "LocalFree", "60666P6X6s6", "!v s!v", "GetProcessDefaultLayout", "KineChamLows", "l&#l&#l&#l&#tU", "576=6Y6_6u6", ";L$\\s", "Q-m$~hP", "GetTickCount", "EPmLBnujyaph2n6k:sKBKeq5nONKJ5{wqkZz706AlgvC2mQb:mfS9jFjxcv2hRhm,4lZzUSq:u8Lw42f", "DyZT!", ")>/>F>K>Q>]>b>i>r>", "4:5?5G5M5i5", "kqKDSPX2HCYOP/CYRnffTI[QZT{BN8Tafn,Jg2Ko[0X+i1oOknPp4ubEZniy2Q:OfQpxex4frsHQLes46ehHemEMxU9LPw{6VUKMC06pOw6cLW395ZdQdqxqDI6UQu7W4nZ8j4QcVpklvHOd1HYcnaLlnEJ6Db,iVM8q6NT/2aIF[3OE0jBkgG2gh8YS3bzV9qu8DxH0lr7sY3TTgB[ctMHvH1MQEy8u2ZcgkH0uRx69X/C/IRgdL6Ew1IzjTRC82SwqQyYIFBrrnOOdUDCIehsy1EEP4IUno+LRquPKTNbnNG1NBNFJdPp37bJIifi5gh3xD4LWS3NkcphFFEfE:WVB5IlKCYM4B5lcF5vp1bsLqwr7sunQhbxrNyCZb2PX5eC4Fv,dQcLA2E8e8ucBcs93jWXU4Egt1cfTdCihG9CMnrULbMe0BQC4sWWLB3{xSadTj4l7skDZGnVFKlZb5K0WmMuicIGg3Kb8ug7sHyly5oECX8pm7SMrKr3ulYnV0D0ZiKSmiyh8,Y5ivbkbUCS7oIGXpASyp6QTNEtaMAgeZfIKd6xgHBPJHOEbbm7B8zsKj/IpINuDIc[N0GdfKUNegKEMmxhoW1PZoHB3teDi1AI6Fy4oz2cuG7[pCckxl9LijVfFR4tZnDp6eY{U8hKUw3SYSP[BcrqlzM9X:vOvI7JnT0l48KgYNdTQUYrcO9QcVy4dMzYOPGNvB5J0S2p07R4QgjVF1piuuW1ClEM9tiyjxwgDwZGgm1,cxwi8R6u4OFKspHrDrRG2Ps{CrRtTx+RmupFRRQcjuIpU,ZcQ3STLJBMlJZ8J4GtXMqhFjhE3yO0mcTf2jHGiD+0woB3yjcBRhanDNH,ST7Wdy6YlBkQ0{wYbJm7xxX76zqXs8qBM8vJO6C:rkpgl1vzoyZe/Jh0ipPDFfAoeZZSa5VHbRobtHs,6K72MSKyVqI9YinH1GAhFlI82Ico/j7,wVN21Vx2dKeD49qxZBJJ6Cfxg:Y{VF1INOPKX[yxr,No3sKhZ0QEKrMt7rm9idnqXIQXTsve1mnmlXkobM5yeSVtdfkKm2fyDR68jLvKTrcJVvwkZG25GFj8CjLmbyWeQXGyD,ZmKRY27BKb5qMnSowu6Tcvqb59SefIi[qjvRFuc{F:TR0Qbh/sEloLg0K3LI3IJdqmq5Sg6JdYysBy8mxp0XMoGpt858hfK6HIKM4,g54vjOTZtBlKDeyypFb4msYWVH2nB39eGuCE3o7V1rcwtcvgbyfUGHkY4n1c8HybiRO6mZ9DqqTnm76saX6lBh1NTFXX2q2dxKPfsgD9PePDzr6gJ{3L5kRulll8ihhkWdX1GVGf2DwjDkMm/:FnHYCkCNuWBflvNkN6TpzWn4rTvOomgtc5jqeV9I7LTyhhO[PkgdT4m8Ct2gBwL4x0Vpc7yKnjkwyZ8oheC8pPQmymMCzwJnh[zrteTQD5SIYuCcVqgCUBm4WQp2bwuc/PBTFqSdTViBjtB0hqS{ylUimqFDfP14roZxKsc8a90XrfnH6lEkaVwrDxZvnF+JXtO1U3S06OSfkkau2H/hovFNhI77E5EkrLm12OuVHCuZE:+eSTiWQOuhuGaTZxIJg0Jo6Mr7+LU2WymW5S0xYINVMGj2H9kMXGmIWMM9ArA4Lp6C1wIHEpsz+QwXe,TkgFaDhRpCbgGJvXFFG:+kdEUU648q1mXOm[oHbLoQs:uNcI3GOXaDzJbvHu2x3UKv6LzpbcgUZug2GePx43ysTKOB7yN9s3yFk4FBLyHWi6jFgDXG7e4y3l9sVDNMDDITXt28owJ52uA6k[jBFqfUXCei66eiGGn4aPBoVE1DOgOyKtmJd0VkMce72O1pwia8j:DBXB3FKiw[2M4i6fsmZpojJgpnpb1T3BMBbIt8afHyWjUUbHHHvCUNkhY1KdrvvR2[yPtpAiTTu:A:71DlpCK2RU85Lplihbk2+V46nTu1YdoVWBue7DWNFbFCvQRzQM4pArJfeKrEl72FD8UZthdCLZyocc+RXxznfyYZC[+gU8WpMi6BRhoPENkOteKiLSdyT82EIshMkxm9fXqefyUShi48B{bzHjWRYYAHtoo9/ptDFqjFe9R8IXsl0[MKcuSmmfaD9{qyYL2NGPArW6ROUEWYjTSyZ8DkI07LSLuBuKPuWlAFK:qvq{kVcTjxIrJEamBw9hNRN:J4HNRiUEDPuCjVk9a1ExTEv:7KnQsDi,GpL06x17Vfm6Vvdo3wKTDp7CJYzstnSz3Y92RyrumTQ2SYthxdJIEqbGTOSL2,q27rt4D1qEHJAHT0OEwnxfoRKp3VtmMB9zjkcL3[SQI5e0ebyfFLHFReZuC6uzJ0rGD:s{MWcyaPSQ50hr0GI:/7x2DQMnVwGc3SQ[yphbdLwXwc67JJJPY0aPR[7emXJ4HL7pjKUdbzeU/1Q3fD4yywB2eICf2G9bKgIXQTudFDAL97wXbU7E3hAXsMx9pYM5I2SzEvp3ZPCMbeOHSKLPu3Epl,GvOkItEIUbNPGqNq6Kl8/c2boQ93JqVhXvEbRgEQqhK9qopVmtah2DTSVPVt+tMTH4bvqeWtWXdeuwZwA,79t7/9ZICyTsm71k9FZrLZV4grERBIvzkPZnkmCrsy1iVrq4rPfCl73xhUBOrFL9RjjwkxInKdscaxlmP2CbCsbu5Wp:ah7Pz1ec8Tr1CZGYwibopllESc8KX81Q7FOisdu,oh1GT,9G2edzjQzud5fZWvxmBtIcXhXZvb7sa,HQF1D2m17JPQazR,ek+cJm3c5rXmLr0dAyl3CW7{I62JzhNJc:XTippkLFpBLZnwSPxmIT3im50LePhQntrz7Z3lE6UO2o3C1BTrAWQHuclxr:FoYKdWKFj7HsHXAozwirJ7LfpCpl5{cWRRdYMZT9cwCvVFyYe{VYdEJDPGJ7/uZ[aSPPWcGRJYtbYehHXljHbkt5sSJo7{j1W,pYHkKwUrK8helMCRnbG1ZP26X2ZccEdzIQ5M0M6eEVvWrIwpZu96OpG0qyZpuVJLZoMpbECIupN6Kvmv6VU1n1PRsH77S{3OdLMtlxtQecn,i[eOZVUN2vsdF8esNlIgKfewaiG8yVFcXej0sObUXQg6gYb3jrKx/gytE{c3DLEsdrkPpKv2Ybl5p5DVZPuGhI8lTZ0ZmdWqQDr1zwWbsXLY4TH0RnEhmwM7RmHMNGC5+DZNrtcQFORfp1Yj/{Xsw0n5aCTY7SYc6QXyAUU8NFZ02,Ul8LKSSR0kJEkQa:cPYJKi16SSYqykaH/d18Uu+OHlD38znnlmp[mD319l4dh:r0Q2Cn35lx6HpOobZl8RQYpjLgtCtUX5oqw[4emwH4+,XmKNahaLjPh:1QEC5Yh7Xf68S2ONu7p5HezHJjH[Zh2FrPsp0yGHVBb80{bXZBAHD{3rbQC8jyhFJMmJIe4hbCdLWi8yX[xPUU6zpfNyr4LilE4nIcx7D[ZQgNRPMXHikvEBMRlTqGzR9GSjfBxpM6k2J3AzyMR8CX3eCSyiIq5Sidn4ODs,/gUnB,3rP0p1V,pwbygkdnXGHuw,YsL2TLsZ9r7dqoT8NhCuWwv[r[DZgzDde78cNmfYc[XUaWpyExAQDbjzV8NPEZNWoF2ysYDQV,Dxt97JgVB7SSpu5zr,43oFnFpmqej3/4Dn7[HdLcuPf9XE/,tSmzAFpppDxcWyJ1SuAbjXBFN{od+jIlgtsvN:VuNBT,GB0qZ0W6AFT3mvAJj5QtF[D{kBFDkFwCSlZ48LQwHf9ZZGgxjEz9EDo80wWcX8otM8jp94UXEGu0nIgoDFZJEhuF6nTsqIvKKYfBFscez,yRGXmG4vT:WDuDWE2GvLbwyUHBN3egGVrq9jDIEIhvTXWV8NfWff7OJ3dCzoauFDwfbZlNY1eGW7B7UGl3M6sgrzI7brSmyC2sACqfZBP1LBr50kSFMvVUITV{3ntJu0MFDcE{4[8[4qEHyGUSK8CUayNPc5k1wgEoS8zQwzF7MVJQm5WhWYAGnuLxY505Xhf7cl2XRdEuQxC9JXnFMWxNAttsBfF2vcd0CfUrX7ye9BfBS9FGJHcMc[bgCb7ZxYogBhMjNf46v8cjRWTI0ZJ4VFOiDZFjt6YSA93lvjDNXdXsbqHihBSvrnAbvDjd53IzSUaeEIlpKl2Mp2OU1:cYcf6,C8hlQiBGrCe5pGL2pdouhJOXrPhtIoPyBcG:QXL0cD2[ZmKsOheXaZ5TDhsmKc1nIRpMfRyxxw4uHbEhxP00X6bm9RQzoRUfHlru6FwStqa02[wig[FQRSPwUzU6SHNXuGW7sSgx1gCS1wSwg68Ww7Xvdyau9npvuwUuZuf{FfCnuTh[2{XvLCIXZ5FJ4InEVvKWPL4HSsgG9M+PjFuDasvEh0Sii{VW/Z6sIr5XtozGpY+MW5y1RbRPneswEgGXkxQyVfheZlDxr3glZVBe4Of5jcS,6p9e+nlr8lHQ2sHnGVYES{oM6mfl360b05sc2vPTmhhlst8qrNez2TAqS[u,v6Dmok9NK8NiPLrep[K0tzND1wtxUHBKRQK[VVT{4Bml9qiJCBAy8Ll17:LQ0[4ueZh4yVcUq{9ctgXRaJoxInC8O0odBh2z/TegPRF2mEXOdhs0jZfEHS04/lijHBePYvokpvK6hYsQzu1jMV0[9eTKMXmIJVlo/nnoceQQ0TdzEP5fANdDJ6OgrzYlr07hU,nboZi7CusEIE1NV5Bsaxnv5yb:FZkFDSaEE6RTf{69EgCrczisHHPFNW/kQXFnqGI7UEYfyrL3g1Mo+V0qwekkzWir1UrmG:rY9udNfh2zFpgVadwJ21mVMqUQpwkeD:kSpj5DD,BSTO/ohipj+FnF6kB54[gEpXijykvcK6d238vu2HeNL6f7oltyIUOV9iXSHYv8ybphf{+:1[OdCFcQ3[UwRc/,E[DOuYZfsY4nSXiykFXSFiLTDxrlTLUBYtsI5Mo5v,181ENMS88IRQKbNIsDYfyWNjwnAOmF+4Rdg3EGy8GPTKu8dU8vnSuS7GTP9MNrF[I7Mug1m4EI0Si[zhZKM[1lnJZ1chqMGPdeE46ZW7xHpOKLQ28b65SPMu3qj7Tkn:T0F3oiEJSOGZcc3kSG/z7rmep9AO8ZNgoMcLaY1exPg[GF9w8DF3EMfi0T+jljVcyljVXjt7JK2X6PUjNnkD0Y6X8[QDjwy3bYQZ2N7P5ZwVblUdev/06,NVDMlm4ntlwIF4w4ib7V8wimwDv5DT/q1zWGOeM:/1W5qN1ivH6ZjfNovVGmRcd7/VBoT7Z0tjClVXRzADO2bN7Kz7hgnKQyz,OenOQxT7p9GUIusR4rH{tz8jD7K68,E:7{rjefR[dRx3DqUCcx0hHrDg/GP1de+z+DQCa,NT7mYkZKgfFff[aG7p4N1Kxh8HgyQS5hKSz,ngQ1BpwFKx9tGc855z8ItHq9Hpa,zJaRqDKhqpuwnD5pzJ1:SwkgeHAqEJG0Orj8hdDP6,n,rvp0zSfGPZ7xoIV0NEft60vuZwhecU/nV7G4aWXy/,vUv2Lr0qH9QZ0kZrH4aut{WgmFvHkOc7vqONEsGZ+ON3WfI:50x{Fj79/4DPijsdp[+IT:lzHDR0WtLvFzh7nJw8OEyXImgK65bvMIq8pGgwYSbiSi93xIvtKzGEtQBjXX38+{olzv5qUZUTq44oGjgEaDkD5mUdfzlWvtvzu0dzx,6enWEey3h,T8KoERIp4Rgqqw6VSJGTNSnY3RyIk{VIO7sDYnL3Lwmp6VIDpCmEI:nCLHYDaJ8vQipf/zvBXu0yMztU7s6elN/8T{0:RtElJXo,6kih5Zl6+Ma,5zNMLuf5D3+HOb5gGJ2V4cY7dtdGXruYm62N5shnASydkS3jaJB33lh,gfRZaXNilBtWTNAjDRJ,ZFxbMf0bxbE3SN131Y+U5xw:ncIb6QQ5MUtMJNdhO2wzrXEudvfqYbzg2Nh1CO5,4[uJ6dBcqvBtTFq7A,O5MbyjYFne9sCcUMgZXRl,F3auLMUXLksM5mlHRXjmiwBcYjCs6qV4MB+pbk4zvFY[hdpGeD1xmnETTyGmIn+NF3mQRrZDEfEVOKfyg:x:zOoOjQLP4VrF76g2Q3wfLPBNHGsJAiO42J8uok7LrWdTB48Q/:BryYCYKKXyToDYHm/7VYQ:reEiHX02g0MURpxvxYsWHuAeQCrSmelyTronEzg[/Rx2G8cWKu/,BVQNGD6yj46xw9MeyRcJ7kVIhhx2AFN4dRVnXVTCT[qLcB9wwe0uB5fvKy7Xl1kq/FOTrTpnYVkIjbtubdqfWjvMU[RmcSeCENUFNrw5SngftWCPRiF0PG1t2qQgf50kJuOuoJCftTj2fW2IgPIDf8tSDXjWLBRywD2[MHGP9MW6zY7ISd3ioRUGuRYLSJLTW{WLkQwdKgbwh0W,58bfX6a[6pDjeEXec4oBR,hjb2WmZH8,hS2oqSpoU2jWlNzEoC25SFPWDPEn5RUS2X4k+56mPpSmqoFSJe2cV0uOG06kHYLEAFSjzR9N+Qfc+zEDiKgrMu8tS8lmJhFys1DKAf2Dsfl5tjvUWOtrGwIEZ:lUSSqexeIBuiVmFzYm1yaiIfxdGOkXcWmURgNCGBK5nKVshwup0hIpTDNLoVTdkbHJu2ZSYE6Qae1[E{q[asVH3q7yYBlUSFB5uX", "464J4S4Y4u4", "8+838;8P8v8", "VeerCrawFlateel", "SHLWAPI.PathAddExtensionA", "@PPPPPW+", ">'>0>7><>U>[>a>j>v>|>", "Bl&#l&#|7Yl&#l&#l&#l&#l&#l&#", "s!~3w", "MaarSectFiscNextMattbamsErasnimstoeaBadshon", "DragRoutflusCrowPeatmownNewsyaksSerfmare", ".pdata", "D$(MM", "USER32.GetShellWindow", ":I:f:y:", "KTH3w", "?$?*?\\?b?j?", "?StawpelfOdasbachSlitfogywipeIniaMeedfoh@@YGGACUtagBITMAP@@PCUtagRECT@@UDelsYagiNessBrisganaa@@PCIACKUtagLOGFONTA@@ACH@Z", "ShowCaret", "CedeSalsshulLimyThroliraValeDonabox", "(Ml&#l&#l&#l&#", "DungBadebankBangGelthoboCocaBozotsksWheyVaryShoghoseNipsCadisi", "USER32.EndPaint", ";-;3;N;};", "ExitRollWoodGumsgamaSloerevsWussletssinkYearZitiryesHypout", "53^KRQP", "s11/4Q9NVNPk:doX8Tmabeqo[RBNk/:k1BoonIkY[KytUYGcZSH2XHCJSd4JWSXFK15pXRbhg", "KERNEL32.GetStartupInfoW", "BemaCadsPodsWavyCedeRadsbrioOustPerefenom", "AsksmaceaglyBubuPulsKaifTeasMistPeelGhisPrimChaoLyreroeno", "PathIsSameRootA", "7<8B8K8S8c8w8", "SHLWAPI.dll", "?1?7?=?F?`?i?", "=-=h=x=", "SHLWAPI.PathRemoveBlanksW", "l&#l&#l&#l", "l&#l&#l&#H", "HeapFree", "616U6s6", "9)9.9H9N9k9{9", "nl&#l&#l&#l&#l&#l&#", ";D;N;_;k;y;", "PathRenameExtensionA", "=/=4=f=l=t=", "9:9J9P9i9o9{9", "3!3(313O3c3p3", "USER32.CreateCaret", "3K3f3", "BagsSpicDollBikeAzonPoopHamsPyasmap", "wf7vluR1AGgHV85[7,SQwhWiFb+hBUoix4P1HIV9yWx:pC3Bl8JZSupNvwCoiQQsa,Tjy0e2VIDqLgeGHiskhsRL0oJOLOVlbqaow", "Dy):-", "l&#l&#l&#l&#l&#l&#l&#l&#'", "U0\\0z0", "2^2g2s2", "?MayoapoddrekheftExedqueyAlkypap@@YGXACUFlatmisscolyHantOldyspy@@UDecoappsSarigatet@@ACUtagMSG@@ACJACEHD@Z", "PathIsRootW", "l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#", "tl&#l&#X", "USER32.GetPropW", "ejDmZKid5htD0UB[gZTHJVrLlTaTBBsBS18pEuDJBuMks{0H0zRNleRt2kh8S:QPqP/2v2JFYWjpubc,vQKhJvYCDZsyJKTWY,B6xyzRzzHY6Ezu44u6U6LOL[dhqVMnZBg5BBzRcUFjYozMs,mFEY1TcBcQhybOFxlh6oGChW4brQ8ek3d:3Bbpfi9y6YokW9OWFPrN9vi4WGbuORsU1owQcr39qxP:T2b:c7+hJCEhdVvCy202J78TXejqMwlIwD55RzX69O0boXG6uLpLRFFDmfZ,R5MSF4bsUtDL1phtzHmbgZQRAUOxEIF[fQLRcERmaH0NfcZZLnYKPHqNGkN:ZeK4dyxO/sBp9gatnSoHv,guiEumey9S/V1nodXNY2lMW4PP6OZC3NC3c:3MKZn,aMMZM8Nlc,JbI6FEOYdXubmnFPAIrYE06HhIRXskfB0Zncq4ER00+lIXRx2ereLffR+P5XLE9gbZyWUG0PBS2Hww+xa:l9S8T1rJAIkruZb[lcheL,D1lreksZncQbHzlb4mO7mEYcJyfGSi1IqwDijDPBLHTKKminl208rjFot76mkbQX4uLYAr3D2TytirCutj2SgCkhes+HSXAqz653/jjIf:Gw8vTKRtBK2NHqZswlyKCS+3sIljwEquEks[0gEBM9TOdumphQnrb:8ryevI39sm9kdzU6PUBpkzw1PrPPxcZ8KVgVkP9mY1DJLg/lvp1EStY6vXZUIvYinfzw5YJhaDY[JSTFpRK193S7nMOpd0D{9UOZWNNH1ccqiLFOHh2wZ27LEGGieW6TtGH:V941HwVN96Ou60xBn250bPtMwkt1lcelqKnoT5O12Unp9neSUEuMgJLttnuBbq1Jdb+lqtLB1g2NrsxqB,rKl574JiYvXKrqBv9becHGRCbd4Z+guJQbuXoG7thFajHoa4uZDpdJCF51AU4yFV/MZ5/,ezM64cKsi7YktRwkpx6RYuIMuQbeE8BiJdXp82AwoX261bboB,WhNGQXKYJirVuGEkVF4{dpl:Ojz[C9xcC[UtqHYdXvd936zuD5lz2Isz5pFOIx+Z6u4073v44{zPKBlzDhwcZ4YgEQOq5dzLNXu6uheHSq3Nw0r5SJnnQuwBgYulaIXhY{UOlxqT6bsB772mKW3hUS1qQi9fhjpX7MuCSMXKPpztjblS/oqgY0xMpHyKb,cewuf:B5Zgvkx:x[KRJBeyWk2kte6HWPdsbG4sVu5{qX29ab5z4Gy6hqxV66bJ4zJ9yUHmBdnNZJ8{6PInmGRrhXYSiKx0eMF{JG71nS2cb4LxLpLD25M6wKEbc4NcN{aSFOn7QDxJ+0R[Apy1zztoC8CFvt6FgMtLG[ljPdAcqToE4SPcekigFPGGRdZks70[0MOu0iH2b71RsoxJzhmpBHIB3zU{eCh8sUZIWpN7xMJhrXyyQ7aob4DlEFPmzTtV9J9z3LU4HES2dZ1V1wVnKUoUnvIPPr1,otGYhe51GNK82KscsWUBNE20u2SzXgB:aQL5iVR5NjctW92CKQvR+ptZlFbTkcAhy4vLXWgREE5:YgRQBi8,AZSIPIUsG6KzxzJzM8qpyBGzR3hX0iIupKzpOrayWhHew0qFMlfrmQAjCdngB4AkSkt,nsk4+MVmHig0TPh4F:CBCqNLMvVPIfobOzt7l,jsOoScDY0VSWJBE,Q7QE+QNobhtfsO9rDwKsbSJqDk1OAutmWWgl6scz6K+sEc4y2JTVGPWXRiXEtcPBLUwJH9mLOZgyu7iro,8QCpiDNlV79mLCP7LfikP7aXOt58NyId30aVFl01JS4Ct0sxfkgBo{si3VE{EIpQlLBEw5q8DjypdQOOe2zULvRiadkSfJGMWzzX7QRD4b+JXH6xlFgQrxw0y0jpE,q1/jUqW8gclSZog:AgZciRHleK1Bo2m0wQDdJroEZdrvoeifQohQfKTso66XAhtZw04WuR9eVB60HDWianuYlopqavjsoSOLVnSyJkr0AJaWWduMyCDgrJeQX2srnbnFgpaEiBeJh6rKvKhFq69S1dXFu[dds2T0ZndKGLp2jO6Dyc6ZE6LgZvW2MU7lWKddDxZjIWwxvbzjloxZ8oEWd3bYbmLsu[r{wo593br2OMCTQMWWqjSYtUE4XPLs2U6leOURT3rYyTArgvovoCdDZhI8T1cSWWmDi7N7XQGV2Q3L5FzQqBR70h9zdUxLyDURRQVegDZkRyb7ps2NWcic6WGT2UX0cnQk7FhvzpVUD9h3UYLJlclyPmSEs{gmgrA{Do7Q/0DJ2:+{JD0ZcR6l0pUf7vstzrUChJTy/TjmGkfWvhpiU6ej8,x5UBD49pkQ7zCH7S2RumcpU3zqb5itnmm6gVyr/0wOqplKy9JdR9JwfIBSfnI{TIK7f17oX5aQyk52csLlY37dNC+IUipZ1SQUvziUE5P3mkrwtzN1ErcSziT,upJCC6d5XPmX8qd[+vixBjTvKPRWRhIuSg+3/xUMS[Uim7qwZlWHmN7mQQyD4wHjl4xWFilQtz+dKR9sW1Mc8eZ4WZmyfBYMYekxg:+YMssfpqNP97sSIKVwrcSZWOVwCdDXaXF07pOv8MMHGGT30ZsTl0h4PcrEf7G4IWJWrZ4Q+v3gn8LOgIO{Q{/[C4FZbwGlQIcsoimeU01D5tdmLc9ypHSPyLKfMiNCmltWX91eoUWefhMwdCOgCTNZg5ekRPeeHf0Wb:CI45CbFxdo4xrvvtu2Kz6Vx9jW9:N7MBZfq5tNtBLsD8T6QOvSrCYS9OrSyisHS9qR705h2LZ8KdHMYbjh/v/QId8vUVfNpYC9htOnHfT:X:SLigHlDSh7swysIqEG7Is0avrfD:/kUiQT1eo9HRPev9Z6pyBbM6ysSUsozGhvhC9PnOm[BNFu+QmsUzQ{EsCbK58fx:M{mXSX2UwbrhV71dLPSpW[mp94RzH2P80:UY22ew2f1fS0+:kFl:WoqsLdapRJ7vSFqCXTs35nheCLDUJeoPjvsos9xvVVe6i:q{bqr:pVHyBPMCLPoNWD5kZpvJmwlyWkPoD{vVVnqYvVHnFtHzdB49QvtPY,p76o6,K41o35BWx9Hqn:KNYQ/Z+Ip[qkE5AlbW32SJZEf57y/REc57MkhIb0PmCYilXUQzZqp[hZA1KjK:pdsN+8GrlZdZk:R8VQa0+XF5psH3AmappjMTwnAOGLQoGBmfpYPLDPeQ6NDuD7o3+hlLORVee3WFBtd090J5Z4UsM8zoxf7EaJ9Y92Iz08qI3Qx,GQBLyzqsWPKcxpp2SpUMYizJU:GKg8ojRVaifBl0f:IOhMPN6srIvdZzzkFnHTXOgu4JoCBdQ9zYEW4h8iLuertHkdyWltkMk:dsWtnK8c4for9fFxvwokJrRUbnNGc4HLGMedbGhDiwMhZSKLjsIB1pLPG8YjRseXfxSCPJvqv7v,WMNBmHeu28Wv6CfU+xhF/0KMbVAfvdRuSqV5l9HFpcf4yJvWm0MsSyFXCHawMgpjRpsyMRR0XlB6EJDJ2ipvpYVxcsFglQIqwMwMNwiW9yFcstg8k:iG6t05IhzF1o/I13vFmvk4/DDEl[cKxj2hZ{9lz1qB8FxPuPW{c{3P/,zO+Pk:TzIjjQI8AIT:pfGeMWGOqKAG+BDi3j1FPxQEiH4Br3jdKFA:hGjUL3FFosMliV6FwGrwBNzt1EY8UqGZVdc5oh9CmI6b9mSf4YR[aXHBsYiwcknG5Dzp2{Xl7cOFx4O1ukHh8EtLdkGXNBy0S9zMxH+HJikz8[yfguI6K17LmMNSSNXkkRsoDiMFj:K[FglqE9VQ1W/pdoV7YOMkJve7+KrcZQ4lOFPOuFM,SnlJA2MyG34SxgCn4eHxvGbX1iRTmISceXqhh7WbJsFwCTWYL{3G6jP75knyH:SuUeX4CkCD9bxY5lCW4xl6RPbhkdDkMQ0MyEAVJNQH8Dcx3KOYg:NHo{znsseOGUMj2:B4NV0ebZtlp{Q[8dADYMvKay+OEdd1simBwKjGJ4og57qRNqcv5JtSzlH[B1Wj6Z0X+ynkN,mV2s3,NMI1eIqK1Jt0cz8wC2QcoFfgZkVT7xvyznHCHx7bmgk0x4pqDZvTWdkIX6DE8swzA[riWYzhXpEd5UiSs{1kxVmkj4HEYCM,USsJAR1hKuZwrOpjZhzWldGzFf4uPfFIuck6a6rpR[I,YFe2gTA8BinRF7jxLyznK{6gc9pg7S5DJSVJ6J6cHpQ7/KfBZEy3d[jXU8p6mDUJQhJ9KXYKPFz2FVqOxS7qsTOZUUXfRNV4fratjp3s2xxh9IWs1beg6HL0D[vxpUAxzrEjbjz34f5KdDqX8wQgVWyOU7XLKLHro[+1l95ttljHerATVzUSNNYcp600g0XLgFLmzzv32XMJInmUd999dyFl2wnR/4TTGrul0wSU4MDfehvwhqE2qilFSyNb26t,k2TzwP04Ozx7CQ7QgqC2d[V7EJ44FFge5RZ5G2ubR5yLDBHsKpVuswTl4KXnFmfUKxUzYDzHs1JKz6Ops4X3V,4cstOukMfjcPctQ6Q09[KTXHD37vBsquHQt2t[kT5L6WiEnR+GzFynN{7ZqEO3WEtKFRbu4sTnAhZiX3rxg96ROCzKaGYYtEexTWuntWv[4y9DJwwnhyhPTZd1O:cKMz0[vdVcoxzIqb8KbdE4sKIuAovLzjaQ7biFrFG7Y3BZGkTKE5NVk5395YjtdGQ1MQDxffXJPn8fWMeyvJU:GDet3pBfkQXQVj4tC[mimY3ZMr6ZZ,SuOgzJ6vgnz7anKupdcoG4ZZKu1CiHAsnppr/qYgtDMbkHzxp{BnJ9PrYnsB5{19XvkhGYawZwlogESKcMAhqBZGuNQwJylnoFh2AhBquwzOrC94vsHOAE6qNMQTltiBT2q3C[t9oiRnvZm2MkoYHt6bBV8uJ7FTL3XMWoDqr:+k+d1mo6dot[U[9RrUdJ39b,PidP+pKbByw[4Y+kPwks4VDEZ1o,0TJPjiZ,iBxN38D{P4kjR6OgJp7MdgGWzs44ii1,1[V4Xd4ETvAH3MXg/:JVh:UG+W7xvDLTA23oNz74Y44hIliGuBophiKRrGhLI5/ijKivJ:dknV+Xk0fBEo8gZdYWFEzjiqTWeCVOW[T461S1AxmxPZpfHd5WEWq{xc6cfK6RxZZEOMtrZ1xqZHIZGvaFdH7SFqU6G9E9wCfeor2ZWpIWFj31DLSv9xc9+ceO4YkPsdvcRL6smkgomkGEOR8wNtbQA1TLbyGFP:VkbtTQI[tJlgF7h{ISLUriGs8DExcRVrzP9qD9X2ZVklRNx4lkC1xlOdKpA6Tb7qZXDDwvebJqblVTxeabJXu5e9I7RV3Dge+iBnV2qwnShZbVYltn6ni,7fjDhYbDKRaBWwh[ZRq:1ja9xbOXhHb4FZzPQeLiPct:ExmL9xf0/ms1ht54afeOgE6Ppjx0NDbvzNGtmFDnW9Ob5DjSOkkI7whzyGZ9h[iTa2nFU[g,8Zyy/ErWW5bPQ0VJbTzb0PZ,43bvgHez89Nrz2QnYXRcTe0FKOaTsJN{fffkchxo/Nq[pKQNbHSgTintdwVLDJ6NUBlgNEIFnZ7nYWr,1O0J+6ej29kMSdHurNxOHbGS3mPZCcs88sOZQkRtNk25LDzdJU4jNlnQ7,18yj2ysHEtmJvTq6u:i7ItLZ7J1LkDewrbqwRfpRO8Kp+lCx0SxCjrHgh6nmj2lTm6Kdq[PSFjck1TzKJ:A5C,0eZiXUnl2pW[SYVx8FYw2S7FS0HiwOqqUlR4/cCfOiAxATI9P7QXbFfSjh2jZ4c{CB7,OuKfhnk80WSsXvJWIENSFJ3bcL9DsbIXk[Fo0L7DOH8rEDe2LMO:I47mLhx42inD/Yn7D{oKs7itGQJbQInlT4lYHMKGP3q3Yd1hS7CEtfx{8{ihhxCSDOf8TT+lnpnMj9CyL1sexXRl9ik5TMjMw4njdRmXqMcBRejrpwfJxcnQSiod7hh2SOgeJrMkBeeUG8wBT{MRIId6TjbSRrptXnL1Q5Q4cXlZv{EW/8a[dvV6mr69pmhSBxB4t[axjH1m+97EVEUwBGsY+38u/zdbI,nbQCoM+Ro,b0U8yMa{RxTrag2WpFYX6nM[dC0yzJMOl53GhKf8CU8taqPWC2WSojBwvvY76OxKhWwt17kqlD3cyrI2m1YrZ522X[EkzCEFsUeKIneurV7EE{7UkBPNQLvUL8JhLzppwfeHQ,+j6PPm2ltlwu2I2LGY4Kl0K[heb9aeVlmlXJ4fsqBzY0WUFozy/Y5Yvx7VRCJQuKlIqrIe0Xx7Nl0eBXSxYNWwcv9wynZxJO8dDPs2WzLtC2wWs1D66WSphX1yrrH2Ksin6igkGFPHFNU5T[oRPCmNu07deVRvD8OQQyVvY6R{fWG9jwtZnZNwUOg1hxPrCfgJCGBjZBV4fyblJf4sWj8YuWY1S3ZuTXQrI{/zfdrnVsa6/NQsA6V1BO4Nfscl4GD:UMHjwXfEm9pXp4MHumZuj[pemR4iBHe6WEPO5Ir0D48P2pvPbq87Fz+t+9O,6pyJQyiChbHV5qtx5:aIm:eqSPkFiBse+JcThicsLEhkloERRl8D4VD6tSLPg,WcfS+hFj5rnBWjm0yOeTp8mNdtXzCEBDpnKEhj6d6YMCu0a8PgifAkjNzBk5qxbnh2U", "eK['}", "<;", "9%9A9`9", "USER32.GetClassInfoW", "l&#l&#l&#l&#l&#l&#l&#H", "3)3A3W3n3t3", "8/848`8p8v8", "PathIsRelativeA", "PathCombineW", "1(1k1", "0!060<0P0Z0`0l0", "50565M5R5^5n5t5", "IKe397ub8CXtoFKc4rpl7t{DViecb2T7YM1yKaiMRmyCfs8Q:m[+PtURL3Myem6ZTR6kTSYjeph4xg1wlgrno+H0p81Wmn78yBOY76uEWgJRfJUWBsYj9UhYSyka,41W8CSofjB0HDNNLwdiEN0BklZtcoFTYYjCFSHyieclSEgkzC1+C6Sc{pem:hl8,1yP0IMJIgia1BzEg1n5:rV2vYfNjGzs[BxL:3wrHQPtmmgoz9t/mHRZdX8cc16WDd[3:CcsEFmZwv71LcqyTk8rmGzNmUhu[03eEPy485:YTmp16TnvCHJ93thKYpwgvt:in4QmbAP6z90USTWwYQnKIHb8otPSRSRCWTxFx5UvVfq0sZ4N9CyngWotZeWbf50v1fF1iRbJ7hSN[VDa6Rv+nQ:BPwVO2MLAqX9qQS8h{FeUMeknwzwf6YsoTis85jlYoiE2u+Q43Q5Soq4vzF7XTAyumJsd09tYUlKE8RRCp0VfyYm/pE,JXvGcq2uEocMaie66IHGNPE4yfh5Vie0JjXXcPwg5mVN7Erbi7YjC9hKg,ZITUiLfcsDXF3{4{k4KXW9VReyRCZ2SZsxm78k3wYJFoWfa2CLyeO[WrjJLr14zUceGxae4XfO72XRPv3NOjfrtnSNh[IGoQdxe,q9EE5EgBWFysRG+xSMq69eReX9685oSlU4BI481iRXYCH8bQVgIezmoS8,5{vNBBtI8zvNSgFjJBmSfWeIAXXYDBCKGi5qKRGka6kMqhPGSjZU+T9lO4Mk52Axii1KD7kJptEX6riDpWmtYjFhlSsY9EUG9KttqJYNdvSFzc8MMuPzV{9DJcJswGNHJi960OJDijwywNfEiN3Bhwp1m0vxRvXfpsNHKLtboRnKmrxtsd1BRzAsBFjkQIehxBx1iqaEMdI1nmGRDPvjRhSdYdOrYfDg0TnchTuyA9KVdzbc19YJO{VomPpeHV6:D3M:ND6EBB7,ugdHDxMib[q5Vh/TYCTXxUhIw0LOApT{ZDAxiL11Y0gphGONRdo,M[WekRk8i{sBDXH2kQ6fnVL5m,Cr4Wkj3jrc0XYkibqHW8oOfLmYOHbxphce2ZZHHv2YuumTtP1HmTAo3k+V5twD3fpwShHQleZF55aY5VIjV41[4PEpkUaqdpnQ/D+VtuS1V45U4{4I5S6MJ1jJUhr1L8X80VrYHux6IoYHADiXUDj,zDR7Dw+ttNvswtpd2zW{cbU9OpccPQG[Z57eAzgytFfsi:fXpt8KTxcFEradfDxpbh5ypSbNM41S6kVNmgIUFvAvk:9ZJmwOoUTQPD6yy{utWk250QP3Ie2H/M5cICwq6P9MUzZBS7U7ZPlbY35KJ46xuQOTVcPCf{izp2GqmhkZsMJUSR2PuP7JzhyFWGViNqsiZyPbMtBU8bt3h9C32mm2xvIYNEpSqsbMDCvxYkpF1V4fl8op8VDLDPuXGHDekbOIjE18voWgItn7bErirQlrPsVKK5n[k8efHmtCqyCmGoR[0pmMNJMVCWmRhz+bdSWKzoPiWGUJx,Z29mMHnLem9P+xu:zRnHI[AnVbh4IbJ58[VHfxACTSphLsFTRUKf4cn1f[h3uL63htg:l6AT+wNTinpNmZnhP1ZPPnQ30iVx8Rn8/d54Ve/d/v7Xm30gGlQ15mSKeXH1JrSErsRJWnVZvdRmSY5KMLXw+HVBhOf,ZJRkecN41LslP:G5V0K8/{D7X3hJY9rVS4yVPpy[prft724,9Kq{jk8ey3nYTzqZjgW08NF5u477Xob2Pz8iGQ/olM3e8br62KTHdvRfyMjHPgWEFk/djjZ[Bbo7cpck4Zu57Y1FUCVYbcN0mijPrOjdihJtJVkJeXsP1RarEMconfSrfJCgWLOSUVZboc0sS0mnfqrdR2PdmtToT{xM/CTxPD8kxVgx6J4:NZOelgecBDT1PwJ7NTVPvd5nSPB:JZw2XSKWpfcvuCdCtn/[MXOLFDx{e80X76TGSCoCCtZ31q5lFPmVFbOZys/8WtT4gY7Qd1BWCF32zthtiFZJrYf0jXwhWwhYv,fooS5lxJYRM9/p9VP5KwoOPz3XsfIxkrH2I22ewkJv9YGzyHuM6vdJazvo7SHXEvq9UfWGd82beoSe0UVkjHW,nbGDCppWp5n4kXWTXvGIpkpR3rhnOvyvlWx1nJrJE7+cp0CJC3xTjq7v0JLD/4mzjSR7vxCvu1A8Es+9RxsNsOS08RPytM22VVAhUHRkVbmhApE8Pxy:f0dM5jPeL5osLf470NPxkO/b6OpkB{ZchvfyJR/ZD:E{ANaem73R+4KS2{0Nqr1jAb2:0B3IMzJmmhU{Fs0tZ7PPf[ZQpbCeH{AeIdcYnwixR8vDjoVOAZbNvJMRMBd9a4bu5lWfmbCevkK04Bp9HmfJRwsvWM/R8BzZ/dBLApgJ9mjp+[5ic2MyC7/7ylyhrp5LFreweHCy5515mc/lSZkggReiuUqsqvj3k:aVLytm1J+UhR16R81MGLdK87wLu7h2/MzgI{KKWMVvR5n5TjzvrMxd85KTJeSnqTqcC8RWgC94cb5miNLEvKK23JTcm6n3+{rZ2nzqR1qBaKDyGmi8/ZuNVUdIJ:B63vpBPZs,JojMOXYO5c8d+3b{U:ntYxn96hM8f3X[dd6ep5HbdI0[X3jJXkp:aQOfJTH0IUO:678,ypDiLqajD0rLXMUVp8jPIO+kxCOIgsg52vbXm0WSIkEuIOfUcujlpezUsQCZ/HHRV2v[pLIBE:/hWq58dW5MgLGj0n5osvkCPixs6LHvaxEWPVSE5vSubl0sD31ztyZJzjfXZ:K9INVEG{8jW7kUnlCgQNC2vZZHRsNqkPh,oECPAd8v2g3uK3X:uKFg1kdXzIL8lSBiHdjSf2jpQB+PAuCUbd3SnWiSC,BESeCgKl5iAGpR1FnyrIrLCJ0NaTtvpeXRtClEI8/Kii1Sb5XItsfGhjtYBfj[/XEdxJc,RJpFj:s:5WSBxcW7PdWJUvigQT8raY8zl2e7SkduNnzYGM0H8G64y{pDJq7WXh+i6i+hQpBjSOpFiZtQuPDJ2{zTX2d4yLbLQDJutDeXSb+Du6B7Bdlghc4zS[lB/isw0wotdLCVTvptYEtvBfTijdyp4MInHr1vG92hqTY5m8rZjmezLQFiWjE9x9AY4GG4sd/Dv385w:aT1tZEJohcYVbU6yGTC9FBud8Gb9HXUptGMslG5XZsCDUhG[c7vyHEy3pmoojRIZe8A9vLZr1CqqSTVOUKaPSJUGlmJrldRfqKZ58k3Q9MnPUVmluUGH+ul:61D1DvwQEUMe99qSmM90peB9sTIukVtTxW8PPk2ddVPfQRl7cnk4mKoDK:BejFqC0gXjpRNnaBb8TpARAEUtYgmP/2lKzx/0fLXNHejkqsPwv2pkbrYuSqAiIwftw9FNV{EVloR,qML59FpF319ogel[epH:k,Ak8J+gdLlFxQK1JPfUpQA6SLqCAfObCKzE215O57uzWPmsi80dO7S4+D72rzDFMy/DiOJNd3TWQpJn6hoRnMmFEtGkfCvQbNwQaJrvGO0cJ2wpP3ml3uE9J[DzzgFWAdPGZKIPje9hs1wMYfcBGzBuzOccpKamKJU1HWjfOi3Zz1ks4HCqBRwVWv/M3,zF+c2xrhsiLYzFs6FzkCMWYw8:Nh5ZBK3htI0ywH/{NgS{cpm2w57ZHDdO9h7GDF2u3ib:TxMDdisYdwi6mVp1iG9EamfsjOdyeiAqDEHRrj7bxuX3F8O2T:uLen5KvTHNhUKKv6UpU4k{6Ow40DVYGdLmuTNFn0DpYGppirV8lS/7R:NeWzjE549:hYYuT8YTC6pFaGjikuzB5eKiQGqNcWX64[IlffwGz7OZ3FS1IGxZR{W:OkAsVLMV+Q1qSw7mN1h1tzFwQCmLbROtvhAyGZccyisPF07jjwNsyk9YVrD2Z{xqtflkzVpiN6B5DidIst2ySUs4OjXIhZbZSx9fmWyyRm0QU69,31v0ARKTe8P9aLs,aQEIp6P6pYJyKj6wSdpRz,vwDqUOF8u7tJNvjEUUChvVVHD2m4FoAJEQ6RkrqnNtfh3c8csobmLgP7eEwGMkZ:UHuiMnLjVH2Zsnw861pmoInCyN23RU0lUQ1mvBHH3FcvcuZXywTikM/4deuta{zFavzSusDQ4rcCTHO{8pExQxkK3jKuRWzF+Imu614Frt2:okHmI2YEH8UOUgXX+mKFsiVgPgs2XyEZpIKu8iUCjjE3nB4plvgl5SU8xyt{o1nNpHjFCQWsETb5w3RBU83BgYQ3P1TzEc8CCCJejsIDv4puV0bji4WtR3nCXcI5Lq8bPjqpL4Q5479jBUjYTFlpS9yp4[r0EDTmcwIX0u2Irp+e8k60rg5q3pMCG2rUSxQRzgh2O37mkgESqTv3iI9Ww5VboBGl13aRHSq3UQFIQVJw0ilZThjVizeJSdGUa3+,afAI5:spw88rrNDuhyW[RXGwHhB8+YHfg1nMrBzW1l6olg3kctmvSt2Qr,W3lv7HxjAotDGzHPiTpE/eUTpeBbm{lXqhAieu4mosb,ZozJz0PKEpkDG[ijSibOIjTmVSKleZBsIK/M4QT:IzD0rRXiDmJ8RZe9q4LZd2izh3CcAFDMl7dKaBdXayzGwW0mb9V5/gV2vWNqN8qgSnAF6M1et55Ktn1mr77bxMggvGvmE5s:TWIiicNo7hCZ+Xcy8{T4DJBgBBDfT8rCZ{B6dXsnTVS8hrJDmgN1f04FNhuMU9cQnBesq41nqPsmvRf2Rw/7LTnYIdk4a9eNN,2JDzzgDY+tF375j2C9qxFnmMHXfuOTOWQhVgky+BqrxFKBZdKHxo00an0LCglcLjNrmTvgSGF8nh5jMxmqELwrUdGfSP/I9FPRfo1y9WB9unv2SoaQVhBRHLTyfw2q3hH1ukj5ScuFXZl,wWIud73I4sbycZJT5vJ6fsYoQ6YBXo4BrD1,s0m6xUiwTqF{LuXcg,ezHUF7L1tnyUMhy4DmWCXr84Vq/NqTc0gRdySK/G3xKKlRs,CUXqE9MIOPKcSqolbegfq1ebyJ8JzxbfOlZqADKicGOjEKBIxFH4Lvn,FCmtrGH2NDTrfoUHmGqZWNktJ9ZNs8XS7WRb6mIJOdpW0[M7MMpiv8j3S64:nNzgsUmXQVA5x{VKaNNMQti{XXCQnJjWaj1vW6A1rtwGn7d85e50RuxYHDuEYHHmKCESSQzgmZ1lDw2:W{+,LWstzO4mcmLNV5wyZ,mrHM9c5CH03hT6AbB339cuhIT1qQvOdP3v+:JfNhz986yOxggywkEMux110Ns4Xd2mFvDYx,2vbpG2YNGXTeTnb4ZHOycoXvg1SlcnWzYNCFQGwMBU6MO7doQI18Ov5WP0rNCzg1rCW,g4c:nvzFYZtg3DeBJxYiT[4,SJX:aYbpEy/{jmXZMzXPAOX3EGJSyGezGuCOjG2jn,6I+012U0kXf1zgbn2CA7kC1Id:R3rcmXNgx8xpXjwnMda{v4yi3{Epz3XpenY49ru:2rtbdPGNiQZSEwpTD8WM3Z3cO4+5jCAWn:YVhxWi2N3Kgo25fCK1bpQfdhtEICe9hSiZHU/rhRHkfoa9G{qvy:XcvN/hMgc8eGo1FvnN54lvzbLQLuH1d0n3Afvk8WJmJUAGYfa0mMwrDp7RPzp3qs3uCwVjvGvRWkgg+2D2El0TDyylHJH3Q,JeOficvS7FFNrkGCg6hrwv4:q5VXQ6n[lsV34hurig6QqypCt7k1hbOj4g9NVdvTe45xhImH6yZjJ498M{G9YcudJwJBJttqCtSESoDDsN2PnxlvA3+6vO0Wm7SRzjN3ON5U2J7p0OGldjHswEwTmF49l09VJ,7sEN/NAQtRjEQ:chggj,NeYBuBoImEOynZQZHR4pLXbQ4b+kIPIUKgGO2SrFSpuR2[c6oh+8v5hs2NjiJk7rR6dgN[5Jfup{3MSt96P,Q90YW4/X4cjiCZhkEyFW/Bj88,+33BJNsBW{6kCFL8lHnXgPR07[eCw0b9PjeyUP6IbYiqgorKNsEj9IEoJdWIPEddQQL639M749wVmUyx4Fm18{3SnQpvz5O9ZudpsOaE6OnecEDLbPUeYL+6FxynV1Bo1b1zwH6ebmKP6EGhzl0GzvefrOaXFgId6MohXyD3UPJPvmExbXXtJ[9juvrwiKAxKjtQdvz9igau287jQ9NkIX/RuHMfeqXQpvc5h,injza7k6KvQf8[Six:MGeNi6PVGxbu5hNFDvqlTudBw9Z9/30NtMJxOQspqPAWA9SzPZxzVO3b4E8B5U3rCDI:UWW4zDd233JOPRxwUyQJJf8z4lNjdOf6OcQ02Bg,TbSUkdlEz2HZSrN{1{1vLMhWK8HvdS1Dsy3hdqC5DRso4oTq1QHPi,2YAG+szb96q4Ew0HqDU:njSL+xaCzZEJxeDpHvN:kd64CD5[V6J6w1v14JvCB[s3r6Rnnwr{Wfyw0IFtd3DbfnpXi7kSWeFGSkpfbO9JYwf,how8kOYJq,lcTGpQX7LGIhT2jz4:ISo6GGeYbHzsz,ciVxE2mRg0RoCSgLv75OZ6/O+L60u7uqF1phwyqh6I6Z5G5rNu9U9onE7LzEX4AFkvs0BU+UAZEvDlbPq[w5QHJTlrgtVttNjV/63RVIVvfVKwC7I,EpNkYZnFUZULynaV", "WhopTestrangrapsdebsTzarNipaYins", "3(3/3G3e3j3s3", "ix9x:", "; ;C;I;S;n;|;", "Rl&#{\"", "2Wl&#l&#", "USER32.SetDlgItemTextW", "KERNEL32.GetWindowsDirectoryA", "IzararfsFlamWostAirsconsMouefemelallPoretweeSacsOxidMinx", "DeleteMenu", "?HermArcoludeUmpsjiaoTareOhmsLimetumpdentdellAlifboosmy@@YGEACHUtagLOGFONTA@@PCU_SECURITY_ATTRIBUTES@@PCGUSagsduetLowechies@@PCUGrayEyneCombpupen@@I@Z", ":+;0;^;e;w;|;", "<@->3>W>\\>", "989>9R9X9h9m9u9z9", "esQS}", "-TTUQ14DQixS8HLScboyKR8Srwoqg0KTMvK4QlGxNOKv9smBabFi0VbHx1An0NW0WeJXR58tp03Iecn0HyJ{/onz5mEf", "DeleteCriticalSection", "< <3A>N>X>h>t>z>", "USER32.DestroyIcon", "SeminerdsoloseenYaginobox", "?AidsvowsBootFaysGiveCuesmadslallcarlwot@@YGXACMACUPelfOdasbachSlitfogymug@@UIniaAmiaMeedfohfe@@PCUDelsYagiNesskopen@@AC_W@Z", "DestroyCursor", "+E$9E", "4#464=4D4J4P4U4[4w4|4", "CallWindowProcW", "sK:`'89", " UJ6tr3h3xivEkdVi0TmuHHem1qkyx7CwEX[0y+8xf9:BmIpvJAcGIH61{eX3,T1bq3woZlmjGOVN{ybD6BhZ3QWKETlKnL8dXcR", "5.XOSDzTseBTNoxKEl7XzQbM+2aTvU1HVMCJR3yrh3buCSr9Q,G4i1MYOQ+rjXunnGYVgdYF0", "fvifsB4KEyDcEPd9ma,mZmhSNAXYsZEbZZclOdUQCS6p8uEip/hwoawNRzsRy6G5JFIyRhp/pLoGOKTt68dv6HMz:ofAI7VI7o8lZxQpqKq51M3U,Nsk0Fy1rZVIdPKIu25gCfdzVklcVo8o1GT6OT[UGoDzjTS3IqiDv8eJ176nc3tEQFYitxhE2qqql3cCSazKyym+f0gnmwxTJ2:aCU5UFHrd7NLWhnsVgbP7iRdqoLN+pe2jkyy3nNDaV+ON9ObKOuj4TwytTs[jjYyecRirb/TDC5qvCez2xyPBIsUFgzW1f9S9Vyb7BF4oiwrfMM88FW8YVbin48SjwYmAr1M4HTgwZrXqVHDfHulFmG,r3CDn3JgzFMbAU6ml3JF/TM4E7g7HGtW+BJvZBUBwJ2zIRl,dsugzGLeL6C2Y0RxTZj0LkcP/Bvs4KIS8W21JIa,fnihCuO9yQIUNjNZi3L7GUu3j5Sbkn4{PLSE/IkgkoIZFhxVVEus3HtWhRoLmlLZCldWuElUtjhTgzXgXN0Yn3IHpfluSiK9/QtRk3Cjshn5vreG0X85+b+5dyuWeupzCZpEard2bjDnYpH:mgpgORSQaT2r0wrpI4LzVWSQM6fKE5Ci2X7QLqaERwckJmJlp{WkjyRUeG24VdP:jM/9rIg{9qq7gY584q08q1OpdBqwU5/NiJQSjwbj1:ORAGmVorjWeiBR/B7BdcLYR64bCHMWnmvd4VoK+vtTxdg[zI4No9O2hwq99[+kScqhBKbLZLyzUlrGBnvrVCu{ByKVgna398A5mNn6e7Zhp3BFYsXphtJ8xd+D/sFJhvwizqt38uxDLBI[FWL[f5cVbqbm2yQnc6MfunKENk6Y/EPcaD2iUU7QsYybkuujUl00mj+yQ7aODBdFDYsSVqWJ4[m2k7ZZx0WM6PzEP6T{GVBXdvJfkj6kuXhZUXObSY2tG,nQpPfbarmJg54GHURZ0{HlNcrqM6dMPFE5yIn3HKkfdfV:Y7bxMtMyltLzoY7btKnOBSGhMiz[5Q4W6Nl2e6NIF4hsmbs5xOx5tCZpkePXaxsJnJwUArhPtpO8i5tBm05gnsYZEt38yQxBgwM{2pNqmWiha8xl2QntnWfBz[BmOuGZsnXzRKwvpIhqkbur2tL1IcifFvhIssS7GOQeUHaCTy5mPeyzSCImLVVTx66mZW4{vXS,NUj{YvmNU,zU18ZBIYbPDDA,ICWvBBYlys5vynBhl5bD3mNzCvc4yS+ixqpjMP8QZMd3Gryd4BoNepnV6Fr1BsodWJ7BHJKpPMRukew07mqTkN3Hw23{bqdrbM7me4OZS4utDtZrrOltEV7vT:crPDW{7OS{sxG6fg76BKjtP{vJ2,690tN{fcmwheg[vXh:7zklB6h9fy+2DPUdPbPgegvCwlYtz7TUY1/ldIRsWKCEGWFmbbqZQ8AJSOAP83kR9sNxcZsXCQXRh8oFsWauRGKSxquq68I33UqGCvdIiMp728p42uT0l:pl8Zfw3h/bbzgDSGUvMUyDZ1EJD5PcOkxjYcmQLnum/WKU+CfTVcTyxdWQsBOCH2eNcHabllR{mygV2d+n+FHevuCEJwExUiW:wRqJud5V+glyx8zmsbErIQPoxDnSyZ+itE242eKnZ:ECdGQWrnpTlJLvz6kJuYu9608kyN7E/zDXcIxnHRh77Fq5iV6SJseUiKsKa7ClzDzj20nIkhydLwHMcmT8/bTcOyM[He9oWPrmOPv3HO6IzDC:HeLqhZhKBuWfd5XfH1NopJO,k9lg5LLVAGLQol5,ugJnRRsDQ:JpPSgvV:7DKjEbsXxNrf0x34Fyqb6BZ:LPcezN8EXtOUYqs1HEjZ3SV0EwCl+gb3sVQ3gyETZicLTOc40DqwW4bPD305qZ80RVZSdS7p/13GzMX3U1G4Oys4NMNGNV4xezZEF9SJD:kw8RShvskZOXRBp8i:kTa86fB4EsRhDel:Gwk{w58YaxNDuXpDfJM80GZO06Do0ZvP7RzxQgecZC3YXcn{b10BnqVD2:6zL[5F2qmTfs6BgkVEKxcjI{PkD[0w4eIJ1o/NseDSPJuLFJuJFI8Bo{zrun4IIX6qYgggbI5dO5Doh6gi3DC1sZQZT1HCY4w6xPXfwX5s9ZZxTeF7J4O[m:tMQ,nE8R3mE:E1aoRjT7DtwGDd43NCGX3dRuehuB7VVY865oepEKiwtDzq2{CJ+newaZ13P0Dlk089KWDRMgEUe02cpBN,9JMGbp7yCjhjhxHr8gQOBfF27rTibF+EgG3kN6vbHHZFsyl[nUYn0gieguZXVf88OYupjF2EVyr2wExUmSjxDG69dkr8tjV{Mi8YT0gMJrvHmSndGrcjHJAYpSG{4caUJj+xk6FboU9BCKwb+JgxZ4D25WU0FyPi56efY,dLNuKZXIrg/RMLGdErof4gn7qUMct,uLGlK09UtKQ2nNA5qU2B7JdnDbY1A63d/EGiXjliV:s0tUxGj1NkUvNe1s3ng,nBjpt1wnH[kSj7o:1h2zT:ifxLPz5eM8dF7GiLN4CXGqlh66v{VpXk6NQPQOfzOkrFx1Uz1rJeQ0mNeNm9VwAK0IPuxPoc3YeMRvlldcS2O{TKTPBLMdQvHYsW+3iFjv+6MJr7G2N88ZoBaK7IowIJGs9eqL18Qx4FRLMRzgkip1EcMDYzr9C2cnKwmJOWoOfWHhLb8CbpQBArCdpwsqELB3G9ZsapCmhsBSM77Zj2J7jOrOdBJr/:yGzs2YPsMlOEHxKCYXHmFVYYPHq0LTkyfrRY32iN3pNSAKsKi:ErOpftRHWU4WRUqHqJ25GKxTqEC7tOA3hSW7UEKwFe/MMtvtEV5n0xRVERoopn9ZI7gEf:1zizQU8fjYbhRN/k8MQhVGy4ygLCMNfBn8dMYZWp4lj1a0cVXCohlEXxRQZoDGBJz6Lr0kpVJpnXEQiIvP3LW3q[tcpp4SJrlkRY6B1VbmnSln1m0g4eXmCw332hceP1hLkQiu/8hcnJTslraRt0W,1YA8w1skwILpOgsducaeOGCc414wA8ur9Ke8Gs/SbDUWHNOZBdqg53d7lq6e9H4yZDxf2Dsus72w3,AnyiCsIteiq8cRExzsU66sDpgl2{+vsh18XF1jpeXrwUzGbRURY,6SZ9rTOo3CmMzFf7bjfTCYKOd5Rkoji56hUJjm+l1CCbXTSbLck3RRm7X8/TWrjI14u:jBmcOMAdtI4dloubuv5FM6GLQIRFk:GDdv02fQFzrlkLARpBK4/MP3AlhqO6xykcNLNHN[6psRbi+KZoGOApSJpjN:F0VVgJlziCLIIJNGx0u:YRPyUFXZ15eZA:3ejCP1o23[F1PxehhBCQymX2EyXlZ:h8c:M4E8kJydxlLYBE2hxjLsjr82eos0ez8zVzvqJVK7JxXROmtcZBw:oyFUvK3nv:g4IJXhn1X:KE8XEn1SJsfuWuBiZT6BrZVwJycYgiKV4kOzYpyRyG8omVY,p3v[DO722Fgq1gR5jomESLPBt{VBi5t80qdjqEs6SOkFqNKqEcAXHnxiCO0Xb:E34TzP0U6jiPXq9bT9I[OfgZZNcGU{kexsxLIimPTWkuVkV1d[HKiQg2w6jiHJ8U2KQzFRGC+5Yeg73yab07sjY,/YhoDQwbFZNESPE0WhqZGEuFQy2e3hLBq0dRdHIeNPFuuHypn,8Z1,cBAVUivk6LJ6tBDje4iqIY7L7eJRq{2U9mm,uYOEqnWs5w/niOPY7KGIYSlu2hcZ6povDFEhSneRD08WKcSR5VjkhClRHOTEzPzEv02TR:kpyGVKFvZrZ6RLXVm[mL4g39POqI7bZ3oM0OSCmCV3Ep+hHrNdTpuKs2a4kx0b3WusNnxrti3uD0vhrT874Uz3sbP46l/F35vqQ7npQfX:JJQNI3Ei8yRBseRNwq0vWHc18o9elWre/ojdYdksEOCzX{9fgkyuo9yXOX8GcEdkvqrR3EFPCBUVPzDnTgrZvm0{z1Q:Q[Z3rqNgLTQFsfzVHflqN22ErYqfsSYIhdxL7c00q[mHyiaCyf5UAEk4Si9gkCynSwnko4U2IY7oDo6nYLy[mZ8KZfpHbHOmZXvKdM3sqlJ{1zCTmKWEX3rY+r2li5XU4S8SFulmZ:Lwq4AkTCMHBoz32vzLj9AS4:7eWi7GYZi[rs8NQFa3oQYGvSZxobBfK5H,ir3EeXuZ6c2J+tewpmKdOEDdGzfwySSneUW[fQwSMMe13bA3xKE[wt5LPKVxsBsDwgibdtHmLB0TPHR5dspV/[HwdbG8bgjloJbJCodCJVWLuIlmqh3RQzR9D1a04mrbXCqxVLcx+5OFm2+pl62VmRld6i0PG3Cn5cb8DKzoGOF7ZlvYJFXlI,2Pr{7OUj7ixziNMeTXrkvGkMtISwSBzB13AYGyqsIuPIZbol6Sm{ezhHVOe29ZWLMEDBG2CjD,k3RhITWpycgGbMqLizsHjmbcUiNxPHKr69gm1mGRpZNCBQ9IpSibe0ctavCGB:1ZWr2kPqosf7ldj1TfIbzW14KiU4OHd2MLpC6eYc7lXzj18v353rM9b9G{gk6xLGAJf{NKYdTRLY9LeIslvOEgufPJDB3ExiHRUJ/3fgot855{W2vKAYWThc7OuBLueX3L8saRCVHujC7uWT+LtUaed3tV4nRJQ:ymUPZqi[rSyc9vwTMh5ftNDENDORI3rByN+RJBFZYi/bj9a,kpY4uMe2uJ7umh7PNPPE4My0Q63qr[jNNeQXa8Vwbg3GryA6cDoJBuL4iMmZw6jcQ6NI8VSOu2oltIKT0eBpBZgwc{aJmRr[Cyh:sWALIuSsDdHs8reKO039pux8gXa{zq2bpcbxR8bny9PZECNL679WeRHNGfgZoK0xgNb73qqESz8qqxrpJktyEpbj9K8kgX5BCQqQx4Qnn{fPyCrvvsW{v0aI65dOCgy{F,YJ2ec78{S9nKBCrIlfsERbQ9rhu2cCWuM2cDs{MTpFzGq[kI1tzb4J9UI60GwrLOhf5hE3lBK8ujGn2KTBI8sesh3w7QeO/z0sH:SEiYLReEz1CBVcvna4cs9wN9V37eBnDH6b000zPscduHhH0BMVCS6ZGbT{OWYZQdNTxZ03l:Mum[VWgFaoBHAJVG8CnrFkfoXkIip[lpIZfuYuCIifBKZl08y{CGZlmf5{UWrn3hLDaLzxNVuWlqLXDlTfw16sY,lM25C{2YCUVuKNFWei7LdLeIYqEu9GS6K6LxVbd5tTONO8fPZ5LR7qUdwfyoDOi9idjFajmG641XpVb3xgUeP06O7gpxe3wevrKZuY6Z31qH3LIhN0RGG[vrL3Y850m:WJ9KKT6e8G7WfQSDM1t6Ket9LgfOAM53WuiZC[KWlGIJBFkG5sGCOS0GaLroCdXN53DzXdQF2,/sD[3Do{Qq7H5Q4f3b/J8rhNMi4Uxi5M2CNyzPC:FLj23dwlMycPqm+0R4VwrGDbjlVN+nrX4V61V5L{0HcjXbvOJHTYWLnDJLdsIf+3Grqr69qjoy8wxkzJC4QkTB7tOTIrD0fPh3gwkmrEC5gwO:NTPR56riexzWMBC{xVuVtF/SpXA[vJaFjwppMIRl2nE5to4fuqC8PI6ukLzmt80nOhlBmNzNw2I4/GZbWVhBXmi:axyUyER2q6946dN10Zr:lp5KNbW4LBGyaq9bjLR6lnk2SOYkZJ5tSHkIzeHCA,W2EQL6uLYDxO7z2dTDaJrLW8FTyVvi7eWpl2ygtcJ5CNW2euHK18uRzuNi/91603+VbI30e1/DAYoGwQyLs:gc+lMeqiLZNIOMifHh4iUvsz+C6LaMsnit6ZSZz,akGsKdH,B7X2OpxCl4f2AJjnh{CBBg4kQ2sWPFWEW2NHL0ggvcXWmK+tXnDQNmkZPIQ:Vpgl/pdO/5Shi5kCTJh8f4vKJcHZloxCE:358DNqBjLXBmnbrN2fGeyZtBr08N2Qnj0P94kRzZs[s,Dh18+nJd/3AoVdBDSjVUXSQkv5rippZpRGgxLhVdO2wMmZEh9Hd62xW5oevIuSp,LcYp8J5Z7Dv62WIToNpVM9lgp:5eu[nNJ7LzClciC8/C9zVBEgyG0LLWtkSEonLfdZ9K+Y0U+YtXh[vLU1UsQcx4jjfZ3zH:ln4MHDZVRml,dtlttJYNh3QFRZIpY[XWrz8Rl2yh7JBCSGo3MTxmhPYtZbpifBfeucbb/kaRntjhL5sHRj1NQvoI15pZXTZYqMZsi25WiSl1n441SvRF3BlkL,qItkSsejsLds32xd9c+HXZB2Ytl9+kSZQfWdoeyDvOLrtw96M6L0vwHU5pEFYJDe/dwEAuZsKQMfd[+zsIuClMs7n2EsNdTnRbGjUP167EiyX:9uB,23eBc{9D1EduFCUISDZqx:r0DMlQ68SjWiDJo1zk+8W1rOe7t3X,Xso0w5dr3rOtEGAVPv0RyHXBYeWDkdkHnRgfYepMZgwMOsPzY3AQiTb5dGN9CIDFqKTRwEvH663rqHlz5Vq094Kyw40BTvXI69bFbWFo2qHii[iNAxFFkz4dXRfNul30Nx4flQu{KWsGXgEHHsUofHgsJDP35lAKWPQXkv8n310oOm4hsqWiiU20ll7{vRlUBVRKkEtpxpxiyn7[i:xjkDVWAk+19eROjtnXK:3Ouz+LFDLGqI2DHNw0uijL0K1mFJ4F", "SHLWAPI.PathIsLFNFileSpecA", "_(hRP", "ll&#l&#", "3B4Y4q4~4", "4%4G4L4X4j4p4", "KERNEL32.CreateFileA", "BardHolyawe", "D$4_^[", ":!:):8:K:k:q:", "< <9", "q=5Y=", "vl&#l&#l&#l&#l&#l&#l&#{", "9-:3:Q:V:", "l&#l&#l&#l&#.", "5!545L5`5q5v5", "?*???S?m?u?", ":?:E:K:a:f:x:", "GetScrollInfo", "GetOEMCP", "dCPvCAYtZamL8Ps1t6X/ySjv{b7CSrJQTWDFIjdVHi:ZId0jXvjMwh8LVTG+xSskvyVgO12dRzS21RDI1K", "IsBadReadPtr", "ChrCmpIW", "KERNEL32.FindFirstFileA", ">8>M>c>r>", "DyLoL", "5J5X5^5d5j5", "GetModuleHandleW", "USER32.GetKeyNameTextA", "<$9>W>]>i>o>~>", "0%070J0a0g0l0", "eawp}", "GetSystemDefaultUILanguage", ":3:I:Q:k:|:", "e_9g+cYbmY2Wr5yL/W+9f6jiMh1[Igj2xvY{r9skJVl25LJbjQVBmtPC8uV9SSX83Udh8JmEkUBZ0[aJkoBiPTLNbioJvDire:Mri9cGMxKhGKaClrYJwvQnJvfbojX5+lIjPTdNJBrQ7P+jvDwHMeTGJGQih:q3bMCJm7tdjq42H7TmA{l{HQp2Ti0TzDbjPb9KodEmWg7rhsc7nc18QUprYbDrvbsWRnZTqjFW1w0LFQJIGXnUvPd67SP:kjtvVXBfyz2uVlk[IdfnSO1uE[RbKUzsfRRWRqn[Q6rwl:0dgIvXMtmGEQTcdSJHKrpMy0S5iYgL3F97nDnlwNC5A:SiNYOmxCQux61r0wJfS3PP1GH8D9nEu9bzaxB9ddeWYP18Cw5V2E0RPdutPw3bQhevmrO9xSv{81r4NS4WnoMhquv2hBRMUmWGG0s6uPdD8RrRzR300nK4Du5Mdv/5rg2OI1m,tUc8THKBD4c3J5GX6NCQ6dehl0IJC7w7KwzVwFs7L8jECkuIdMm1fv8:rxrp/,hMiT5Rb:vR0Z3k5Ve8X9nkJypSX[Csl7ExgMc3+DvhgEMSCR+ni6u60sHQSs6{dtHhO8Brj3yu2nhP71TEJtodiXIjxglbX2yWV9EZQ1GBhuUsfD/UgqHtQYI3nx1HEzZl1fJgT:utnHRQKSWO+lf[PGorHWK,GZgGEqP[zqNJ5m/TgeLN7m38v1oXL:xfqQg55[I2ijkK5Gd{ljsgk8o2MQj2DouGJ,wogMU,SoDfIDefQyw5DRZKB42XtEiU/YC47g9JGeEUAbcd+UW0+Vtt29mb2dsJ0RNPp[cGrFz8o:zL6q/eluvl2RjMi9+7dTv5W[a6X:TKIhuVocfVfrCW2P68OBoIIJj7n6VdihVvvvUwqJ4oWZBcFetcGu1n5bfHZ5kd2xj9SPE5r{DTFsYO2DGLc4a5ppLjH67,mrditJrwHi9[17A3wZ1uFex6kdOTJgboAUO5xiS7m[U8sREjAgwluk+5Hsht+9y{hK+nc5IVi7RfQZbeu03iGz7MVhY,pZxi23nxlY4lt3ZqTxVL/uAvEObfn8GZxYPsxVYh5o1R2KrE39rIo0dpawt:j{sVx[CstJQy+wGK+4+psomjGsaM8N6,lUFhE5iBHYPD4UTroV3s3DaO5fyOvHGvRjwssSVZJqssXtc[5Ocu9vvvgHlquiLF23Jf6UEHUV1duqN3+,vclXjzbdNKNY4TL8OlZL/vlJJrJ2H{H0/1gu78B4Vqi0sk85/k5QcswnNir5gMRIFIOn86Z7n,WNrvEj1lgiH{U5aCf68powYRqpqRscMBk0j{cvdzsOVWdQ3SImrIR{X8Y:FyqPowuhI3yX5egwTvadWKCRDM7CAY709M10sLjGCInbTb5Kf:cKVFnf/cL6qiyPtoazMIh{2woU4UbxwV0KxWktxbO64l8bMunzp6rSMcg263FjxodQHsmH4Spowv5Pg2bJaoJ6JReYrV7cXcheoyNpk1YWqewOjgpVYJnfihbnDH9HZwCTRICWgy1B4iUxw6NZM3s[lZg4mnBut[27sGYViK2RRtwrAOJYHLW2c8LJee+U8Ll{/yqjZpZRIM3Mj9HG3kibv[w{77SbQLU4DvMPQRgXs33QrcmQIrmInJf3e5uU/:60oMFF0p0tpE44qKTqNzHQoYIj+g77TlyS7pDd5L0j6gQHjvQsun2zk[2HLW9kePNsF:/r/VoGUrCET,icBtQFWt94VVzVMcIzLXk:Wgj[hNeNMojI75Tpwl+PNg8pqxc{rehkt[gJOiYyvg+VVQQqCBNd9mmuwBNqEtEmg2TxKYWgvi/[1c26BnGsvhcd0D1IR7BBJEX51hqGk4cI9ldkmOVSNZeTbP2MmTeo8baBzGD{kh2WDou,S7Z9QCnlJwlkbLRn/pK3OYZq4st{zzsrrTLU0j0u+{hF8FH[VpEgK0JU99q1mUtXqldW9VHyKxY182bnxr/2S22PzyW:qpL3DSIleq7npIgn4hgfu3cc1jgKyY+ewdAsnuz,RRIQkSpiv5EWxPRCNBGtVRLiKo061MznDp38rp3OWtKLG5oY5oLq14yTkv7n2XIULUe[JT3RC[idYiTvSeoXA6/ZxIvHtCvsSnkDQsKZb[BMhdzukFORdK1vMdNWqV0BdBE2o81oRsiYJpE[I7iKlpsnqlT30DC0huMvz3nJAVoPeSjH1tPdFpS[jjjN60VM1YN:BC0Ypy2na6nxn8wsCOhejrh2UMb:x{pmztf86kVBLBp4ItywTiHloicj1KxBH[UMCjeuPF7t1Quxp1b0sBcEG9AD+OcfhXu,AhEDXSIU6e0Ln7PZZGRyGTJfPf2tfSVWQJR{ZWMTeTjTPgBSyqI3gcQoltEb/qMFfkdj2C3jfiQQd2j:fpFktmRN0QZ1onvQme7lZlRnR,IjNMxp69zhT9511hg,fhv8gI+cwIu85t4b17PW2iVDNuZOb9RV4m3tJVcKll72oDI8KnV4h[r0K1upGzccXUvYPDoGYrG2Iy3zv7wRMDRgUGnj89Qhi7iME3wOGurgvWXDVT9wlTTRctfzu1bxrF82/RfUoYIzqOYcUFbfzrbZi9nsQHoXyjB9RdyHqwpON8n6bsiFNemN1YyZAKFrbujfQ0rsWrcmD6u,+IQzhDOTbuNglsVWqmS0VFQtM5G6Owb0WfLEomUBiEYlDij,Bws61I2YiYfJnPlHsGfnaqvyK21MYkJwJUW91bjeBMElDM0o8SOc1QV[c7XHF98iyJ7Ey:YvXjgUYKLrA{wnCpzYSpfzFETWY5hv6iLoPcSqlqxnDp1YKHgJgXhNv8bE32ZmO0ciOdgcAnHEQIS1OeZQvoK7qPVec2ZQZ:3Q7q1sIXZ4/tKe1S0ST{2li6zUUqRHioOCIFTdSlztosanX8ogl7wkBly{4VrTKWIwbNXrtyT42LyzG3jhz{JtEHYCIgBRuzO[32ag14bDZWQRJkUiosjk0zp7xeaFBWI3nfLP+e7,H5ve/jbSPBA:7ZuruStrEu5CgF362DPGXTWOfdfPaypxsRLJrBp5TY+8UO66OhachMwzXWuwiIB5dXurDpedDC9NVVd3YPHBtPsLsv9GNM0lFXac4h3uD7ITzrOffnXKHD89ZRY7v1lRmy0PyOkIReo6Flu58mcbt66,5XYeRzLGBza7LUZtsGcRRs6kuDb3d5PfeK+6p0yr2U+ohiUnpB66EX3:ry9sgYUsWhMmKIT7tBYO9JIgVoinOhiCQ9y[3Ge528Vr4DNMs8c1u{gH/oZMo9mb6XE1tsJiw7Ekk0HC/xn8y9rjque[1dQglPm68SXYvB2OpeB0HTLyrQ+fp1sESG5[HmgBtMFmncEVkq7qhk2J9Wwn4mPTUFE7ZJZM74Nb1o0Gact7xlInFb7sM9DmdG/YbmLGM818zwF4cIBRhN5VI2Y9UBsXiR+uC3mjF7M:6NaPEyjr30eKM3E04CBCys7c3iyFb6Xmt2mmd4RYwZJ{H{yHNjwuJbsHTPgR5ebxu4qt/eDQ5xSz97MXi,51GCQHZXLMiqYNDCjIctG9J4ApgEi{81KfBjFSO2qlMsAkVX3VqZc[56Wg3NzEtFIZXkYUp97:ryAd2SCF+MwXSkicisNYOyL4jov6/Epd+h4mEyjiDg8gmnHNabYbaln8SJ0[FDukUXcfh0w3yHzKMRrw7H3PRnNcTMSGuv5inKVTp5cjO:3CwbtEwnhTb2D97D7I+nv2srZGIjYf5[OCyqtgPPSb+wMVJGH2juW11F5G3iI0fSfMyv6Qcb1eDHLcfCl34{BgKuc2yz1GYsb5III{llWnksnRgUaGEHjsP:LzXrUJ8uEnnsDzPFTPZF8cd3re6lzGhTlU4Qts13+QreDOI,4UlkOR19PJSYNF3ISdcY8gmjVU5CoBFvuPeMtmhTt:3,JPulPQS1sM+3K2jliV69ZHowUhk4kOqTR9R5/9I5Veizc5+dKmBfBVwOUxNJT3BiCMbpW0aBMicm7MMCcQXXU4WIp[RrlbICSof6siAVP{eqJXsSg{wyuBbptM630reTRekcxXJTrzber8q,YlfS552iQYc{HL6IskSJvBNCBdmTMDKfYJwFHvu0WC0:NyfQw1D:MsxY0gxtn4spZ9AjT1BMs,k{LPqZyeag8cJ{QdwlrcCZB5w05VjRwvey0fCH8E/LSJO2x7WMVbIz7fzQt2tpCZshX4ps/rnr7RZZtQ1pbfwuLRDURXw,EFXpnxodQIHPEwQxOI8{4rlMDOkH361,YE/U2hi6t59qWvy423tIYrH5cXLcOB8rJGu0yzGFfvNQZHmXeCeJDliPBjfpgT0jPx1WGYJf1ckt4WGrjw67pctMF2MHcGVXk27HbTeGrB9lh0YgbJ6lGUWelS/VP32t0lqlgUTqpWfKFNVLsWxU/w73RDkHRDOFrjkLjzVJ1HNPHvmqlsi8mVmWjr97GgsOcXx7xRPxdXw,0PRSJbPoeYgRFEQeX[5HX7ApMBG3Zv1PTf6X1EbTP897fTS65haPjdKRTrsPa5e0Rxeu4vbjnVHwZi7g3HnWH:/bGUggM4hZrkak2KTpXV4bqWFMBiAbYkZEYE3GKY0eHdM6G9M9A4FgTYxw9J9QKPUcBFMRYKWpdvvxblW:jSKzasP08FBMgwC9e2NOtuoLPZLsNWmjr,Ss0UsXaNmBYgG[VHB8DwmWdmBF3viGqV4yLqWnxMozQ7nKESCTW:fGnYUVW{RzJXxkudKjEcz,26+5kudHlSHkSiGx7i1Gu0f0kfFz/u361WySweagY1Q:6MOZY3yBd2oe/HvpJQzY2WBbbfDg2OXS6fT8J,p04t8TLPv6xFxD+oImkYDRSFXNGqxX+TW:cYXybm0UldJ,ZF58kdhcuXAqyuWj6zmljewbs8q{pp5PeybHpKPK0sxpMno1bbwI/5+{tRac0egUc35k/jokzhXdKDMpS9Q[JixM1e/culkCr0MmFoEN5lz[xrBo3esRZPpQyVvvM1HUnz0lzYy3443db[nGbsCdkmHN+jijWW9nmgHul0A5H0P0FswrW7oySntYqjUXu9KVYQbHEHxlh[Z2tT7w9QeXpyw5ORnlCqz[+zexzxCcjq7L9[BjIS6hRuZ928Ke410nMnffMZimFDDwzmsceRW86{1EqT/7iPh[2h6FTE59uLiM3Hhj/9bRBKfJe[20YR1c/LflfqEyXB4eC1i8sWlb/Q2EQf6e7TsiEvuE9QrpwO8nnLeSc5LVO1znf3wedh6hSSqJqnfTv:tTOv7rhuZByDnRjhGejVZBtNqPBwmIC1YEpJW4U271J9+HEIaQnn5fmsndAlafJLB[PILZe{kRtM8e5oIKIWV,4zY5Scgi1vtTkSuG1YXsZ{c{2P42sXzzj2OMbC+3OIGgrOmCaHGgUeE6oH9EtGGMzN0Cm7mZ19wF0cOJrNK0A6jompbEMGJbI,eIyuhL69z7NtP[8h/BOXlDC70YpVs8s8LlgQU43retgGlJqHVrG[WWP[O2p15Z/eD[qDk6ae6is9oj1087ZdQZd6ptL5NexKH1OWrjxq1HreDl+oK9FOZ1pQbP1gjTPH4gm287z28LwmH:gz/qcPf9jLZqzgKqbeMCM[Xg55gxiGKn7{2QHBQbWtOySJXjXQ55Qgm10rAJNKGLFDygiuc8zRdFqSYYNg9VOrOJzqP{d4ho6eE8Y6Z3XC/{6p/u18VslQYzOvZxqsUXCxgtcPFS/qndseUbnNN[imCBSwX:+0RC591F4c6Gbp05TFPSxqrtoUYsWin5cbn8yGBTvvmCieVNlBR0SwwnmvxOxuyJ6dOCMvaKnlWHjTpy/MmS4bvM0grGOXvQVHE[nkjJdwqGb6YVd25V0KmKcZDKESupciN6G8uYpzne1ZB,PUVbdW8x+x4kzF+FVoTqk1xfXxgCkx148frrDG5,3qi4JFUrXl59Nc26Pe1,m,8XX977gWejE8UFd9qFyEKcEsSlRinU9o5Hw:luMGI6FZ9Zan3qKp5hTGookMOTQjGWnMERtwqUjb/cFEYTF6mt1HQpAo+J18L09pVdEks11SIYDb0Ol,6rLxK,2BNvCTD7quXSm2AxNd3:MwBVsz4oWtaoPXVledphBk0dEBUKX6qmGGFdlfziith[7WD[xhFdHOSoQ,dhrZVHIiYNKOBm7O6WjTmUvKCCR0KS6:sqVPCYUp27kFEEpus5aeF{/uajLPh89[fYZxGXRltpdqQ[jzs9ZtNH/BhxP,jbfsRs/cgCP,yMzEN6nwIGVJ+xwnSit[3liQhjQUe0r3Zw2V7QiLvknr4V1mYEoSuzsXqC8d47sIjr4xtHeGFEwbV{5cAC6hoSK{tWsKUGwrSjwYzoswmgBwyHJmYrVGru8S0rCC2X20sqoOE6KZA8XOTLeYm8lmCF1IE7Mh2[aIDRqtf8MreKoVID6E8z7zqRKzY0dwDIv5XpChhgxQhwbCXsI61P+PlRRQrxS:j2IOzzShaOTvMeszurA69{3Hew3DevX9Wc0{6FlzSVHDcMcTQXwgEkCKmDWOg,bLqM/QDUGlKg2sPwnUuUirBmKCmNs0wWfsFf24FNUeZl0eLRMyYIX1V1TPI4m:JBAiuQHYfqY{6FTqUmKYumeREy/8C5hc330naTafxo/PYSAWwE1y1k/G0jE[7twZgUFI6X6m7OHM+6Q:cJJ", "l&#l&#l&#{-", "xl&#l&#", "3&383A3[3k3r3", "SHLWAPI.PathParseIconLocationA", "FlashWindowEx", "l&#l&#l&#l&#l&#l&#", "7$8-878X8^8", "uisq/D>M>Z>j>z>", "YoWQGRRSPP[C[wNruJDe9UEBgwSHh2z1[CxukluNrwVeV/5tfrqKDCy7MnZJOcnpQaip21Wd2r1DOPc0QlgYEYHgl", "9(909", "9O:^:x:", "7'7,727E7L7\\7b7", "PathRelativePathToW", "2!2+23292p2u2", "0-030", "Dy)", "O9lRP3", "corect.com", "0*00060U0Z0c0s0{0", "vl7:YSKKRByC+xtCa0/yjmu4d991p8fcU{eXmjOhU31RUU7utM3yf3gkoDfNwbWEI1vu+UsVUtkO3HtimPLyqUVCL97H1iiIf3NWrx2Qm[RizbgEPDrCiU0BtmxlkXDSsXF2umWja5GS34xCpbHwDNt{511DxPnYVUoYNQ1GGkjeEh9tr1KMCdD1+m7Lg2gyLf3:jLT[69yMJLOrTUkICRWzl5tVAUzmUe6XQGuH5DKFxHkiEKhvUgR5G45IwbZQFnv7UeULMZvuA7JG7ra[nyYNOLcx3fhrpgzqj8OP6DKZ9Evlk04u0VXwmfbRyfzOId/EkLtg+HVBeMhN7IIK7VxPyFD[kZ9HsrTkvUC,Ox0[MH/IEZByZ[UjMbZIMSYZ+9usqj20NJjLzz3ZEbaJxzRN12PS3eubYPcuoIZX+wj7GK6RDmvSYJXKtZqNTsdf8e7l5QbxT:T5nREYS156+KP[djet4HZ4lNi18knilO7{XveFUgYDu{Am1Xewm[10B23u0CK61UJ2+djcFVj5/f32Bbk:Bg0c0mDP4Zlo0uGpJIJdinq9tdUf+vO{kZXtTzmuEzPzNTb6WiE8S[Fy5bMnU9qyVn1TV1jq7bh9pY9,gy+zdW6CFGSeriwLzfOJCfq8vRqmG8kDJEMsRm7m2W5D5DCB2O16NbFFmBDzW{qq8K8jNilUJbSF+c8sbsamBE4{4QfVb1OdozdXsDdy2KB3YkkntUYGHDu1f0AkYqLxHiUihtr,cqzRpk6Oa50CdCDOxQFKC649drMnEnmWueZd5oUci9cbRF4p7{Mq11Tp292yrkKfA2lJpNLxzZ6K8SpgvV1fVpUlMGGOpLjxirQxVvQtyDXr0iadYyCBCYD{As1nH5xWVn8hpiZFOvCi7{113,8RlVdYSVWXON3mmQpk/VRO/25L+gOG2Kb95oGV01ZtjWNUsINWTCUbNlZx0xgCRUe2syWnbPE82:CSUYW5BmY08EZp90uEJvNuw8PcYMkn8hJ2cPiwrR/4XkSeM4GhX7oUY{1KmH9pI9eGX7QHsV57uit,WSOmN:8ChJG2dkZ:x6P3Nb6nYCZzDGxKNoiOKFgZRn3Oz8B6EePGe9pPtxa5hpitBGomb,dmklxjhmoy/mPDzPIqvCZBwLfPrWk5yTO2+dFN4mqU0ZjU0tE,4pIsf7J[7XX:CBoeAlqdPm4GngNxiGooq3Lgtfwod0vu/d9i9VMrAuog19g9DzwZ9Lh2kYVjY:Fl3gdXPYOf1FdkAJ3gR3K8cIU{bO9IzCTEROVvTz3uF[d{vHRBGrs,Y3hucc2YlzC6r8z1vcsCLte:OQh2Jzmh+Uh15zqR7DJob8jjZV9FOoYsaGqHdHoJDqUk8XiBqBYnyV7Usgus4JHF4VtuY:tcm75QAxTqyFRf5QjfHw6Kh5ybJUHTd8aIQ2SISQrqikzi9rM6GvN3CyCCLdH[CBqCH6ICLXWjjbw,IPdW0rb:lk/4q7ZSK42EaXUIPyb0FX4eRl0lEEwdzNuPSykMCZPQ7hkJ687hpVZnEdBoYpd,x5cq+66yVfvuZst8Yjg[5jiusD/wV5g460WlK,mCJ3vHxr6TYVIgS03e9naQAMwm0fpM1ELNKXZqsXT3AEmsRqJi0Jf9z6fSncZYoFNDDgCY6KhMvRe7aSvIFm8MWmJHdZ2hLNFIOHoZPBm6YBqonY9j5sRtvmIir{qznWDV4dtG+bcsI9KcTibqmGHSvbQl8Vcby3690f+X0bDi9C1ImZyg9Wq{ibu45Ygfi12lY3Tx/jbSC3cq4Mp6SpyL7EK4ZxRyRowZiosTA3cWwgttc,IEuSP5A{HmR:FIEpsH7LBwdEZ3kZ1[2uZS55oka:eZFrJ0ApW0/PmsndyiG9e9bxqdjNuMmDwRoumtf5hlnfSEoo+mzeVXf{HR8TQ21qI4LndjlkwCJrBrn6LL2JaSunyiA60guHFxbNAWa:VzPYYe5T/Ddcm5BkwiAkYpn8xrNQzIWW+0WuZySZqxXzlDwnS,KFYcwBnUMX8SPCo,8VowfFP:pJcLosTYco8XbS6gVj4qLHlTwWPZMTC8UGh5GLEsqUFpAdq0jw85D6Ml9{GTKyaNV8zwLn5p/QTCWqnnoKPVqouIE9tGBFqCw{WYLb+qGU4GxhpuX8t7H0Xtx[rKUhKBE0FHV3kjSBRlcZAW/3m2jP8OByJ7b:JHNIlB64FIhU8,CfxpxVfCPrzHRVFUwU2hD67e3RFS7J8uSJgLQRmzxB356k7u5BKgrYZYWBuuyB0LbqPY79eL6wTusLlRLs5[suKzuyaFy7sfl:vSi2zCRq3OPfaSUvFFEod1fIdSsPE9D,3JfPKIxJ2BAICedrFxFOd{DTHVgQC[zTWUJMj{rMTZGu2SX6FsqZuMONmO/iM,O2kV4LMnesI7woT2MDV8j5l3LV4Bml+b4cMrjF+6FY5pQLmKIzSZmvDKX6uG6tkuFepLMOHXe9e:dJ73gqGfnDySZ3WPx5hHFFaKUgUGjd7Og[gfv2ksPwKsVw4ibLq2CBpHoPxumDmGZKlotFf{2lIzrghgqDnNd7RsI5YlYWQ,L89XszLHCleK9OOQJ9Tg0E+pEXgKO:WGlOemOUWSzPJysgmSFUAOfJch1b1wHkWkQDk[gYTKWqJvjNOw0Uahz,rfUBHoPknxGC5O5QKee{xlH9eOvJBnZwv[FrQr27NBh7sfp6P:E:FtCfAnq:+Cw4Hu7iotHCBJzH01I{AtLovzo7Q5ZYsoci71i[Oo9IMXdqotGmNLfkv7fSc4EpWPyx7ipTfNy{mHoSCM9z8NnI7SZNZP5UatNmg5fN8{gQq0261XXpyV/JUK0yssLuPoDCAFsENfI,zIL5Sn2fM:j3gJ8RD2evtsbtZwysS,hszXDez[5ju:JLyXHQmHDp4U3i2T6yYRE4fih84VkEDVAplvtRP[jTc69Sy,ko7rFz29Heb8CNNEQry5cz7W3tZROCeDv6wFLtw3x0pFuDCSu2jPyg94UIVmvLjmzOOyHt/kxYDlO28qwJDeTi2VxEOoG82jKrZdrKL3Oy7RbphncLYk+MeuV:FI67So9gvYsgGOy1K0gYandTYJDreFqOSfrsG20gy,3[a[0mVNHfF,EDGyY2/7Dw3SDDhr395RkRT:Zmbrd9JhA4468SAqk,CGHwlYZB4URCs3NjX7ijsTL7f37O7lecSKA59mrZE1VQJd3DeojZN8UjIDz0wK4lJU30dVRpP1I9CHIFBNhKJPWN1NiHjOfkEp5D2iYyulbCzba7JbkPOWHq6CuXxmuOn69zk,BjWDL32OvecU+6nKJG4Z2zJVWMuoNs7M2,3WJzq5+Qoqpw+cRynVxfzhcWOqCuZq3DKWlq52ZYW7VIUWulthprlxRKs,BHTcOcLugwy91JodwtoFQnNZE7Ri8FdzV{M1FIHKSOzG39WZ0HLhHk/TRgusaZUu3GS:W76xP{0Nrj5{Ix0luCM,fGyGolpcqRaikI1,3NTock6TQ7o,EGfqNCpNEezMSyrZ95tyRpEy+wYLw8quaC0uygvq7i5{CrZg/cHXys/pKRbWOBY1NFLb1mB8T3tJKk2lS:je8IPLCVU9mFPznqtqVbF,PF0RcJT1Zldm4e3lZTV2bUPRLm6[WoZZycHtR6KJDOzu9uNTSjvHj1qNTCjiqub4SeQd+4Y3DSWIq0Tb1qGWenYjCvRH56z6ReLq/KSBrxqRinBRWFRO9[f9c72wvefUiCVmT{sL3Rnu2bpYTDikhcRQbNudFcRXg9MVaTe3COOBRDsl/TeZ9RFutYs5cVMDnRmxC{iH/1IcmyvvTTTpKncCbHesMU+DsMfR3tNludKITk1ukIceAsclCvUyUNLpYoxYSJNVd7Jm6QyTARPhH,7{ORCb2Lf,1xg4qrggbZorC1p[WyTe0VYxXkoC6KVJgbc8tM4bGn3SAgV,vwmnAVG,c54:CurhP5aKY4KmA71{CD2ifq8M3J/t4ww7eIV:gJiJfuJOrj9hYksCk4TnbxFlNm/w4[nxJ{3CYn+cPnzoLn1v3cdXT{QBxbtDIi8X2Gm{NgIRyMbdVodqaXTW7oz5tzkOv[w4KQ9,timzL4eVm5U7x,FvDgMMtiuRAzKmqpB6mMonl[EgNIhDeMa2mjhNySQ3h9xLeuNDCHy8d8G2yf9eHz4ERJa:oYDnNPUL+uPGmNf7xBJQy,+VPtjRkDpvYjpNhkI1yFVERixVTfNMMGiPfIvYRYOMGCb8iY9,vE43yuw6Kzej5wOQo3ePQJuM6gcn/iKN76GUdO7hMoXjbm6TQszrj3kWc3dDc[7smk+qycmgOGwFA4qcl53LCb8dDch4iip1s:hK4KcLG:+cC3e4VKTONwVeq4T:b8jXAmXkE1HKPzSgaGbbQZgdc:1qvi+k3RIjQkJHB{/TAs/CaVZlT5ixhYQzIKjNNIXokcYXCfM2ss8k+TAgQzu49hXg5VQ56Y3UI:SXEK9pk30WnS80NK9QrVmr/{6jq5VTMKzun5pdUwPDdk7tjKwlrScr/cG:Xvw35697/Bp6iVKMRUbSXBoXDcY6pTEL1xH81Dnhl89VibQ99185mLWB80RHsBF7kdCVJDAPwykLrFn{+FljuMUjO5sZK1ztLJeVx4bIdieL8JH[JpInVsQy0iqSP13YGqH5xHuIoIy5agKs5NBlQ1l5k[9q0R2uRxnrLj3jrUJrc8FBt0hQ5c9lbvY4VhQgzXKlQEpLUr/guBb3/R+1Axa8IIZyM9PutMPvOdB1XTrIgkPB76/zB{wLEDggfTkyqzr3L,YwuKapz:UJ7xzunXT7JE3PhB/cV5F0vC1u9vV,OmNkkWVdfcpFe3NlmultGYcXIZRC0fRfYIO9x3tm6v9wDzRgzyUTrWDqIldBVezEyhS3vIK8pWr5SS/P+b5oE1ld9,Hp8fjeuvIvSb4M7vlNKC10/NoU2:oN+dAHIrTXvjB7AnMBu8ARv1RRjlbohX70M96Cs,ugdPt4y4I:3MIW6NThjj5gcSIv79llDMq2zONdwnAD6Udpr8qpCYSs1x539GfTe,WfFV+QCL1dnNeWO:NxyE6o6I2OMmYp1pi2A{DlQKJ3i3V4NTOMoolzA:shivA3l{kfu5e73UDHe[RLGiOPevdiEg74Y,NyffmFnkRbZmbwQke9g[HwA5a6i65ICmVUFzZVyB11/rM3lwxcd[UGJmg3lOPrW7Vz+1nVZKgiWpsyilwchqbcPY6HgXyROp9sTORqzxZb3KjZOxdSzedj57WFMr/rp1tD7,NZ2MTtOdzj7zUNJ8kOpoPJi5KIFIu:FFNfAUh:2QY66glSi5yEKVWtXek39XhgWG4NTUqkgjVmYpa2JCCL1projQC2pwlrg:pXbMGBLHpitOZ8JvNTS7wLemY3bOgdhmIuL,GLy34lFqJN5OX{EZI5O1wDVO3:aH3Ch5IVcVqqQh94U2kCa5083Hf9R[KLtgQ6YB2DdzLdNGjzMZob1uRrYZ/gvqpQ8suegiR{fDSmQgpPqEvEUfbXW8sWXWZBMK2uaHQKvPkN0930TNN16cnRjwm:KvSN8I3SCz5frgS0iSXk73MKmkdw6W/efrdrvFIyXmUJI41WFphSUR2r4fxHrUlk8tLlKV/xiDuf8Wdx+GYJUMjHaeVpnOyEf3ebUjT8cZm:FfY{e:iXAuN78ibVG:zHqJIxuels6cF,ggfxOy3Kf[7RObt38E9fwCv4OF9evWXtqyuXpNvw0tqmog1yyHfhGPGVj9c2RXnDsCfzQ4klTMnMTji,oKebI50grht1lh0n431xvsBy+wJJpPLBBJ7LWkz020F3lyRMshd9iLiUQ9dLe2BHgzDMLOdjtMG{Djs0qNJC/vk{jy9NG{ZGSKGNXs7MRH/9Crf{57qQGyBYRXwiCMESFxWmHn2exiugM58y749TioU9O4T{nMaXT4t,+IoTO2aCI79KKjwSVtC7Ju6y0:ms5Pl,BZQggqpOsK9{ihzp+M66Gk1BbQP6Z6PzuodMq8HPeew8CyUy2PE[Ev+NrpA0RsYimgzEt4+NVRoVncuGY:r[z9QRiil8VegbKLIu/lF:X7kzhoqRK6mTyTO6XC8[mSmQIz1:qSkw45w1Dhq9ThEXdHbyqD0G+TOQLqQHmMuwGhx8+MJGeMj{xGPoVN17kJS:G9qW5[PQtbgpnsPTNuMDn9B2/GKQymj0f:8LH5+M6j11vu1erpwjQ0+zJ3mbTozXG8yn1oI8NmDzeLY0Y4wu5Scfird1m909Vb/cF6IJfkpHBnyT8nUmJmltHY1w4wrpHCbH0l59nLHwwHLdPyvIPUMxbgT5WFm18sJSPmbJ0lxxwb8bt3fKT30,8xKg0uo7hDol9{83bvpwVFYClOE[2tkevlvgwve5Fu+fPWTV2NmZOLrqOjzKtNvmHqUPVUD3g4qHiSZRtSLsaUMeBzL12K5yb0F43pz,+XXOkZGdhQO01L78EI1Ca438PW9nhVf77nVIb{FSWy4d62+qHc2d5:Bx6RSijG5Bm8qFTh3mDEFi+UTC/5FetohifZHmT0n0p5G6FZtmoUhjhG+kVb6INJ5GrOLXbj3IDz1sHBbrkNju/xq0GoFfuV8Hou50R:ufPbqCC3M,9Htq5BpxZ:Z01rnIUu2Y5lULGjP20UMfjyj9sZCqrdmC7R5usjIs898ObrHtt8pLGLw3pI/", "AppendMenuA", "5%5,555?5D5N5k5q5}5", "868Q8W8", "2%202:2H2M2S2f2y2", "Vavsrubepodsjadebrooli", "l&#l&#l&#l&#l&#l&#k%Gl&#l&#=T", " ", "WinExec", "l&#l&#l&#l&#Z6", "8H:DG82dFrncoyDBhkvNne3NvHUsdv1wi+rtyOIM997e9cBNjkZrpDv9n0z5OyJVOtzqM2u", "888A8", "0!020B0O0T0p0", ";,;4;:;@;E;d;q;", "2*2M2`2r2z2", "MeanOrrabirogirtWorkGawpSassPirnVinoLotaPledEidefe", ";&;7;A;G;^;d;s;", "CopyAcceleratorTableA", ".text", "upQ!v", "?NegsgirlGhisKikeMeouCapeLimoslitcobsafarRyotkindbahpi@@YGEPCUDiteDadaArtyMuniod@@PCG@Z", "989>9G9a9n9t9", "l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#r", "", "575=5", "UpdateWindow", "3(3.3R3", "5(6.6E6M6Y6r6", "1&1F1Y1n1x1", "FCfLHES7H,BLun6hRfdYUBaxqhutejeLZcw4d1/bzlKKX3M5+cZQig106BOF9241+wBOuiipszfjbMSKK7F005C8e1EpECMFk,WCk:EoglOf8L1wioSEgJ4FetDfshzddUyyw,Psfw9KbwZjS0gP0eCC2j+gi1RChRXEGsWu5Nf,TDJzCJuDLxzjifQxP9uP4jAGb4FHhXjzRr3mRlt1N[l9V3zhQZE0N8FF64/Tz6s1TUD450gNK1e{mLX60hcJS{p1toJ87bqseNQrXV9yS2dThmPfPDVYLk7KS1SFt83CnhjTsjy8nw38M1h40ntoKYzXr4T{eVt6rKSf4XaUZUNtx4vMrq2Y2BL2GV8OHw3qSJPsnUKY3Qn1Do007rOvE,sBojUjKn55+HR0MdHIp5NRm8TK70hrXwscKmvwL1mFSLBFB1DRN0R{Wpw6vYkm/0eTsu90/Qpy9ylBwxbqABbl4TuKlccLWoC9LsG:vzeUPSSrxkXPsYNQjlvb791NptUEJt9cxCu:gxbhTDI2XMtsvE1Xz6Cr3i4zILX5FFe250KWtSsYuJ7EQNYjdnss5OBctSdQszBQU1JV+JQD3yQjBqC5izEcv2gR/n5nXt5D9XmBETb2sWs{UGvtGz+wUx874YdpUJ2cJ:h1z3Fgr3X195BCXSZJM7RLvDdeQzoKzQUwAE9Ur9jfx15,t0tIdDZdLdxMFPqDaDC2FogytbTIGOUWNT+97PeCGH7ML5xNtINqOZrDeDbUp89GGxeLu,bj0OyDyeaMvRaYJjZlsG3,hBKVi8ZnyxewiOHqJ2kem1q5vuu,N{hU4j+BqekeAW7QItSYcLxspmOg5fXo/NgeT[2duepmtpLq28qE6w7tXSJpXD8MFCxur3H52b1S0urDmuw4lR0,Ys1cEq7v7X8zzY4Gv6jYbu0Dq7CGFBO{OUmG2qq{TMjq7v3fDH9kKdIMi8+{3VdhvBu5HG+jfpjR/w7UmkK9oyzjMFVgf9ibZMDEuigLB97XfczRQE7pGP47WgFcAQWOahNrso+5Ymazj0CQyYsXXDdQHLPqA,GC8eULgEppSHTlyc4w5VS{O[fpO1d{7XzptG9dCesbWSj52Mvi1npqdIeQAveRVLA[jT9bbY6,aCEzI{7oBOWs3URQTMhimvOGIztINrBEivlhKtxDMTZRohq{giW4Rg8za80nTG+NHSg4C[l1l0qixjq{WS3xw85eQTSozxppSlRGaCJ{OKP3AcNNZMunUzDUx891K:H4+Z+{DTWna,34PgK,MyG6I:qhEed08Ll[mq5CAMI:vrZORblkxmg,cCDdzyf7RRZJiNE[nPerboeYpwhQ7fVLn4mmwJZVVDe7k06ovceJ5Yuz38sEYfB{BRUzE9Zn+CwomZfbIHZ90UP,C{j2iEu4ZTBTrkS{Pq2iLo4ERqi[+wvNRD5x7Wn6J{FI7VESnwaRWkjtKnYnMH4gLZGCMF/Ckz6ohYXK0c0kLtud/MkNeNoiKwLcZhC2U7OHJQt9phhQk{LR5EWH2oie/Kk4Nn+pGjggRkskDRqgM4kf08iDFRZM4LUbBIVoNt0QRjd:aYxbR6NZRSXzrdvjvls{4XsLXZTw09gzgOSJHqL0cU8pKBiTzMZ{wnUvTSoiVDdxZQIWKKuyWTMJuund/OkCr3byTP+qCgS3KEHxn8GfdEVZsFomYYjRkmqXIDpTyJ0rc:H9ViWmE,1eHMD6uJtC5d0xj1rbdxu8DYz1rfFXQx8ZwnTBbP84UUQN8e8BtYtNaFzJPOvFmQ/PGl4LDRd,V8B6IegiPD7m/u2,/eL975cLiRPRPLSb7i78Adt{W,cR2wuZPLzZBjXLFgb1lYoFjQre3i2hNVHq0Nz:wSeoIxlB2o31h9XWcdSjTtJmfFADV6lxgZ/D7r4{KsZXQHadzuGyF1B4MhuIkUCCF0bYWzTp7YEopYRsRDtLR98jGtFV+TjZq,06BQRUBivZBMTNRi72jg1paPJNhZzfIx7vZ{utx6E7I8Iqzf4100jLQ53iAHbu6mFmm:cFzQ/eVWqom,8T+tHjkZHBlMRVjgrW99+zmg3[SUE,VhLsp3mzpMB66EoH1{E3k{1D2FXMopgSDRJ9DPD{3pLsBJvvgH2sNyt1BV9e4xm{Gd9p+C43b3kviv5gjh2g4jFtWhQhoOZm1[4ShmXwIiFQIukxk{QcVR1nEZEc7tQ{OsCZDSnQwdW60NLYhpj4+uRgcwT5tVe{F28XklEFq6ntjlMP1kW4uW/kPY8iDHRQFBmRT39qsgM3KSmFq:bLtKaRzT18ou2QQLdLMtdrcQg4t0m946AsQDYG7L7Eax3DJT0rBpn9F8578pUnHlH[WeR74kfMV86USE/KkMSwxKTq4xhq6bYELtk5U{2pyuq7SS7Ser0iz0cwhGelYWI92hDRq43lX:JyK[K6BtmRxct2jbpwxyr3HoW1zh675xqxGLa6KYpcr12BW7HWhuukBRR1Y7EExOj3OXt8ddYhE:B:2bKix4UMsC4Zuf3NobLGeuLvFKuUWKA8s7vy8yVjbtA3B,IKW1vlxBIC4ODvsPRK3YTlfZuFwraWlRh4rhcLp48f5zL167B9we+sQDdW9Kl74u7GXWWiRGbLUNuL0EAVYFDTnzxNquHJBZXMSl68U568/HXsXsznMffqeJqoGr5ko8cwP[hrjzhXs2jk6HT,gVbORkM5Rl0qfuUFDSx1SgbZu1XNdBOBNTBw7L9mSgg9PJ3ymfk8kCyxAjRyaVXsIsXHB:N5rQbybOfMjyciO,nve8cMiHLlOVyY47vNHLiCkZReexffiYaCP9879DeBw5B[g94s8[aSu919o9UDNmVKLkhTszobLCU88XzQ8gErT2xpLhaC1qQPODKiSQ72nhTUfThJr{zqD7HfSZS1I{xjLNtQAY/RXi0HQ5iGPjmF8EcRRrJeOL5rxLKthZzNtBlBE8Apa8U:05MGQiFTYnmwicbV+ym37SVmFDJV/Jgvnu/3Y9nEUH0J30IDWH+PcWYjyMuIh3y6CJdXz,B{1sSS8870eDP44{Kk2qrPXSJW7PCl34Je3:vNV:rc1mRZGFFkRYTcf7V8Y3+HVbsiP{k3fLa1Mu8OSNItsHcdH1InuUn9F6CIIW26+iNzMDVjg4oO2EZbwyUTcsU4ntbEXZ+KdGLFk1HpoLOkEFkvbeY,2lokUBY,itRwzx8yoGrGu2ZHGV3DLwMz0TjCgz+CK8qChK4d5N3vwSgnb7zVqgjtZSO14JE6qktpX1TRdSR,Sv3YTuUeHn5ytkhL8O07/mHwq4TB7XcHWo1o1dB[3LeVoq+LUqKfDHif/64oGHyoyNl2a1EYpWtVPV4d4rzWq8fQl[Ks+hai3cCzt7uvFOU6AYKS6WO7hCthoM9W6trgCcd4EVFPlkW:j0f0bsjruMjV+Y8o91G20neC3W4ctxw:kIj49jstFBQeaV4ljNKK7qx2n8aZ8PpllMGzPbr6q7XhRmUQU0msPggOF6V4GfFhPDWD7QQw2JTijjliwECICzdMPRDpACW6LnJkDRdNgm8tinRyVSYcFLyPvIE58IVNXscnuJb[ieIRax010TDb/{pZRtfc20TBils{0{3iIbNUXSa5vE9Kg56{B8KhfkjFK4QzxWvtTBhRcoLMx:XDEeLFW{K42JXf/q/b7YA4CxnVaCIfqsvERoA[TPIZvLPnflmSO8cDG{2xdrUVFqb9Clh97DahDhlqwJxUYt8CzmrDq95KIkls3EFkCp4UmuXQFrkUsbSSvNY{zL4ytls[BXDTu2TjVRVnAjWz7caG2PweLrMN24jXkKh1LQb2hmpTu[98JMZd3[OTH:Lqt84E26YjTWATZOCBc2Z3dkcKT60P4uXn1hEnNOJR1kzXZ7mwTzj:Fmvh6yPyOTIIf75772Mj4JIDlERvjeg7OcFe69q7RcrnAlATDQdr2PxN2MtU/[icO5Q:HY8XO3M8ektkG{eb1TnBvQIHrNf{jj5d24ZwwTPd/Yvgjq55ASMt/omOUXHkqW82BEDDDTHpIKmc864,guqjUdGZBZ9TexVsbrRU8X+bH2ri1[UnWPjYQe5cj7aleg3Mvke5FIB6hk8NKbuG02W2Wx9fRf8LDtS4KPTolbGwCM0nlC5wtBDfopbX8wrcrcdRITh7Sl0xM[nrCDBuUdOFgUoMssMqdjrEWd97MJeE62Jvh9+Pe5mKzLmLHkyCk[Qgqd5cG4XD8{zndyqzr9ay8:qfEFwcyrTX8ZsmtNLOxKL386X:nRlTCrK:Sonv7hnPgCDycn/G1Izim4tjhqYkJUbBcDeD/kui67GvQnx8JEzT9Viymgk8Z7C5g,YOpOG9qImU02DJvn9RvWhMDzZ7/71ilVeRN5IzR:UwLQLZncfSncGmrcPLZpLixN3ZYcARbPQbgSibwvS[I0z[ecl2uX6QsLWELfg6/lx0puvDpYdDhe6{Xb5v/J2gVM4Vhf09q:UMM7bwWmMplNYFQiZ8Dt0JX,THsEpmmWnK2mbHKtRgBsuddczGt9enKy0j5GC3gR0KS5a8Lc+Rvd8odqtFp5QZ1qbZL[xhmrNl7r9l6S5EoOOTwCBXK9yG/UF5iGkOADzUllCl1pE2kClg5BJFVnyHM9uBoVWML31eNwOfxglXhzDP21mfYL1{j:evCK9NF6rhpbOeYX8tdLhcG7bVT63HuTYLIKLCo9nW2bLMXikmBqTZQ2AtQxYHsbKcshmsJBoqxgycyjRkX6T9VGCPLDWDKT5yFhC:EK3rYyvPIZJboyb{nwP,eYQzvG5QqfOGsZDmhC5iulbnSrdScJnbaGBlIcmd2[D1qkIrRFIrZ0iR0IhwIw4qqQtOZ4CfdYIoIsR5846BQGpX6iumc077vS26w5NKdOpUGzeJ4Lb05lVxdI4Yj8UfoxwCvxnMDkUfaSfchqagrvAxn4ObOpb5QsAynnvyK[SYDP5YjsYgdGa7KzI8EWm,9eOm8oqyLFJSKdsh4J0ouQr3cxK[otU{+Dqzh,0eAzVyIylYOjYb4vlS7cdMecQBvCGVATr[Bov17P8LbpxVyuBtd9HLRwy4kf+E4UsFl6t4scQRsykd1rUrd3FcgsOQhl8LQp+wAGmlSedZb2LOlLVzypIgpxiGi3wJ3ip5vIpimv+cARA7v0GqXKgBUVDmQ00jvKJwNfmZW81GZyszWTvcYVZ34I5QMvj[b,h0vJ65uRa[x7dMLKVpms+xGWjZYijTNLHlDhuOitBUy9fWUeI76M0z2nMIaIv5PDE:zbJviMH,eyG4PMw0A0FhWO9seisiSjI0MMfeqnkphzb[0Evo5KYm/yfX2:PScE914pVtWdYbFe7VQimqbnQ33n0uxYI3i{4x7z9xwPPCxv8EjJ4hNqk9Oh0{rfYkvZBtNlR:gEPMB8uVVsajYyhSPE8rZ8xDx4qgfisnRkrgAlOXxEDyk2zl+gbTjlM8P1w00Cnkxq8phMpB43f9Bj3sfCv7cJL1Ww4G9Os0T[2:SSKNmVJ,V6FRKmMDs6SiNb1[YW0IqSkvT[Tbbdb9j9w88lxONQc{iiOZdTj1pKkiTyeN8upoH:gRvSnqOU+[5vL0cXxTddaHngRGk7kOWPnDqT+7LXe01MWzryp0eLV9abMdLkc,P2RegusQJcU1cMkDn7CgiU/sngxsFyv6aZjLdPF3A82Sr6OJ/jLq9o8oI:cnW8ppJtHV597fmJ3rKDkUoccj7X3Zn0/N+bz05G/lV87fyOw:bX6SEf5dS1YX8DtX9Wzz19t7hof0DUK{bgKXq39iQUogeb9pqfj{+1xR4sHLUMdh7fE4k3QETYfSH6kJqQKKMOhwdFTmj,4Svv5C2sGm0PhuwiwiUIJfxXpu2HUzmi4sTSvxuX9NufP77Zchb8lDbv9y344:dFZX+Ddjj9m9YbcQ5JvOFbTQW{4vMbIQ3btjLvZyE[FEjPFvJ[KloU86Mbel+1N89GrpbzfsM5k4yzWJmzaDhX3bToCs6dwfNbz2jMLXMxAy/e1gVcmGbdiT2KxMJEQQvTGM6zJqZ:G[h9NBpkih8YtLo4eSHrp3mz/7/[xYT9qw5hr0nx/Vdwg4XOAlXdaCQXdg14bGBOEDaxxMD2Bi3QGE0SVq1NE26JxK0wECcB3jXOdCMvq4EWGvz2dvAyk{qqriPLhoX9sFpYCvXJ9nCDiBn3lQWJdVPlw0QXThEFCbvYuOGlwJqzEKrc8cfRO3nvb6NbP0CVBWASMKb,iZ6ROCFuAGj,TQdZlBzusKFrQ5mGIjjyrjits9izIjCfEuP6LjnB3:GOoGv3BNqvhS4lYtqZDrO{B0byoQdXjUgOvI4EQw8CiZuQ4DX23L7yoOFu4mK5ESbts:G[yEp2ZYK5bTyEqUpPx[3RIlF,tWyEl5+jI8QmcHv5B6A5y6ixzHVj/t/RYY7:j2GhXPVtvpNKFIrQK:F2TPfCVbfCqXnKhlxH24SCdcxdSy7D/BmYT{poqqOIyCP{1O5vNwVjWfgLtITHPUX2gNE9XK9[Ll7IiFWUOH+V9lNLzep9sTIdCn1RQxaWDV3PO5i1cniRPs2mpoghk9TgMquDpdD5qu3UzYLJBjcDzERLnOGf1cNqQbcYlHxo2pMgI1MlclJhl2flR4OQiC+LunY{59imL9b0k5CJI[PoHjcmm9gKK9o:DsmVAQUP17FW0oZz4p2ho7zP0txnP", "1:1A1N1T1", "GetAsyncKeyState", "!vpQ!v@", "VkKeyScanA", "SuitplieGunsMaidBaitFeusJiaotodycolyAlbsLuneToyspe", "=L=Z=`=l=y=", "SHLWAPI.SHFreeShared", "0%0+00060M0S0Y0a0o0", "", "2/242@2F2N2z2", " ", "ZQl&#", "NfL4bNeVlBVs0kyY+2ZqQ89V3GoXOqIxbK8r+TE9ejaG4hxF8,aEa8JZL3v6SIuu82xF+2M:8viTe", ">[?p?", "Km}0+", "my!s3w", "Dy~J~", ">A>I>p>x>~>", "l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#", "9'9L9\\9o9{9", " ", "+Dl&#", "869<9z9", "YeukMags", "P$l&#z", "hil:IMVly1o6To8jEFu8p3IEWY7tyW0drRhPjrAN7t73rcbWc2+RtnTSnLUfgBZ{c[i5EfZ,RXjBUcZ6nRL[yE3b/,MFx9F2/", "8.868M8S8\\8k8", "xDjB[xxam9BNKWJLHoT9f0uhlQoz2A0PStCuU+tJuvGDYy,eEqGyx0tOp8yFCUO6VvpNOi[8p/hU[LGdencEimVaCelG6+9MogYRKtxJ5giqSyszCzJOFJWrL70j:G:WkjoL3xO3NgtqbVeOmJOP0n6JpatcPeDs[5H1MNrwjqqsigY0TRTBrnvKpmxJz1cSKjxGEaIBQT9R4nuPVplqF/87MDtPKRMbWum+b7eMmckX2nbzMmx0iA1Z9m4WtwRsjmHhWuSijVhykN4t0MqE,87+lVSPH29dh2w9vzhzdRn6Fq74M9x3GCJL053aRnS7:nH3x2r3wrFnmUe2T6XIVCiAL/Pbcv:UmPZFSDikrcqWcW2pfCgigDknPdIVdsBVNfoIvYHmBWJOpEoQGeCmtB{MB1mFWJS4RRd18QN3ZnIcKl{ql1j8Nef7NigRT74NjtdtUpwZlSOo9ZmneDEn0zVtCEjj3XeJGQwH2W2mY6jWuhXWQe,IlrqZVXWz9jUE2yhcPKD/89,8WEPrYhLfOLgZd3YY8jZGcYqlK365DpSXqPJRWahRR9i8F6VZlldnfvmhQAMXO7Xd{jMpEDKIKI{wpe4RQgd+siIg:TdOMg2Mg5lEjcq4E8KuSb7TYWSO3n[RYLOreHe41tvLz0gmXcMgHkukmr91q+tkmedw8Fly:Ap/uu9u,B64dhFLu4e96Drp[9Rghhm0XaR7LAPS3X3YPzQTHLMwiHZdqbrJzR4RYOJVtsz7u5BfDUmLKYoIQKF0ERnrUEKxZIUi93DqDkhtNS[X8vcqSMFBocWWnU,IKEb2RAJMUxQ+dFlfkhk+[+MMkjI9JxETBIOVc4IqBFZInRF7XsJLwD0mZx3O{iI2lSrcgBdnGC[kGcrulEVgf+HSH+,6pwK/jTiO2bv0UN1/1ndeSDqYbaln9eHS67BV1490emjzeBcepd[PxMwsGOTDVkspRuHoDGWcmOB6JO7/tHU781tXEihDGw0u3oV5238rYPjY{L0tkKtPsafFnKDAQz9Q7Qzk6HhgtLflTqWfRw5zt7T1h6spfzxfJqXkb54tphWNtl2ujhOwtA9lWf,xc8t2XSDi3RfK1o5kvD60f90cHCVP3B,QwAQF{Nn5fveQwdNCxjccM08+5SMSvx9y3b4m:GKzVDz5z4pPFFQ1BFS0C3:EDg:3qjgq4rl+7NlceKVVK6YpyjK1D1trpKl2YnV3BdOe4I4ZHL4DoolnHoFGtSSxe6rP1A,ukT8Au6J+tGntsFHIeGCRXbqgeQS8[fQzx+gp,UrqZSTGqDuBUCmHNJJI7S0LJiymWDZYZIr2TkHi[X7tCnCnetHqCtyJyCwUG/cwYc5QHIcxVWHMb+Xew71b95I28XPVLinyY4EzKU[rYmi/VMkCeBciouky0Yx09krZECWgF13lyEvU8DVfxLE2VcdUvw4K1FLZ,KOCUQtuYQfyCzmGkWXxl7d8JiRF[36i7i0erfUiKr352zFvJ76bKQsMEBfDCKY68eVTPb54hXXXl2kDzbZy6+[N8pMoMPEEhwdOdIBKzvkcCCVwSz6KeqI+9SxQwDBdkCIzqD5u4dQx0Hvf9usjkHE3dsnVrNfFGkHUhVfKhatUD2u82n5AYfqSNKi2dKv+66LXYmP7OdKOToZ4BxMAuFcnPJR1LIWas03IWvDVwVgIn34NWj023rpEPhBi{Ct3P8FThxM7cTx7qp:Xz2SxS+KJ7kKdWHFYit,BpX[meLZ5nS0BmcqzKlLtV9OK2ZSpS7FRFQ[X:VHbq1BUvXp99BwL:1UnOZ,xGxDF487kQOztE/tWu3ItYP4XkeVi{nU+yxi+TQFLsKxQ{P6t8hD6xMSpfP958A7otw6J0Kgq7wMo2n9jpMJswVr3C2zZ7g{Z3H3FQF1eVAllxYd1dX7M{YgD,JSVSgiGz+QkpP,2:ey3iESaVlnOi9VPOl[Cs6fwllH3yZdXWaHUH0ZGmhK8Jv5Q:5oGho:0Wuih0s6w1Orw4IzQu9HNkvxS8gwHmcWyCdJ8Hf5l8DXRoY{M[0:y{IRGbG7HKVs5jI,uhfJYo2esJ0PzfoFHWCg/KJ,+sYxEUgk8K84xKR6N:j:dP+ml9ZHAwDTrEOnq1H:a63BNTwIP8uxTCJFakflfnTONYnRiTM:uqZlNFStLbR{yi8tJvtiwGNdWcsBgMcDD6aI21eMRG9DvW5jWlfj97bn4dZRTvRf44XKpty3umYw+BU20cS:K7P4RnYcQMDzKy0xAo+GoFl,xf6PtIOczbqm8Y8LMiDRBf/03N1e/dS40qMRdB/HNXrfLBv,j3XWHXkc+JQ3LRE5/6Cd8Ohx+yAvG,Qwn3NxpRsch5XCGE956U1LtHuzE3t0nHTSUwvRXTmk6JAN2QNr+Dz59cMDnTqhqcVl9q+z2ZMnN0i3FGNpXz8QX{6sIFRmQFBCPJbSkjj9SUU9PUlu2cuBHeA2E60fg1LO2gobXVvpO1K2zCzpId5z0Uq7XQbIXnhikKgxMJ65dy/K1vl3/J4szHPFQ4+hcFXXZmFN3:UfvYrO0u3OqUAdcnVQ3y8FEEw69sKV5ult/pN[lKi5TmPubl41Ru4oGpFLgv48E2U9hhS5V{9rwNxN3JhV1EQU7krKOzHsprtNev9mi5wY4,I6oFWZA:/U74id3yHVcr33h{B4VrYoOSxF0b4u6KYxYv+qG[XFnGvrt82rsn3Wl63Z31pIO,1LPiJpYBJ9QoyQzYvLu,xgRzmlwoPuhVdMlFsxKVUOwfJL0TImfZN,cOzBvudPtW57+:mUQYOp2wQFIHF9KZQO/wpwOu0z0p96byPWl2e,7N8HC:TpGQQ6G9nMYq5Xlt0w5El34Fn8y1o7KvNGiPAVq1wL+7ElBLBrsqviK4a,0So0t2g3Co3B0gvF89nNog8:2BGlXs17ex0fos7YHKviiwvOXiZX/JeDk3veRFQL18sHe0L5jCQl2mWwhFqno{Ymw1gm03d1e5EDcFvVBWJQWECpEB7TTsQHh2RBzqzdsk0:OW/mAjisUSwLFw33vYdXJi/VUyPYs4YP/fDBpOcerLVQwVXDNScGUcCNulVP6UC7hZ3HTokrHJBMAbSPLK/VmyXRq3emGJHjCN5hO18HNpnyWHf9tC5j1g7KhDRgTOnKkIlWp7dYsTQ6y[6EjzvmIJT:6QlPeuuUVj+GedpuN31TAlZritwupe81J0ZN4v8Bzuug7[I4yOtMQ0N3/8DofpVOERzhlziwKmv2xcfBARI5ETuWIF5:iq6SKDwKLxEEsyq6txnfPDMUEMRxxq61d,OxYMy9D26O75cWrEezDCNdQg0:Y51lJXnbQmtDaubTVqJJHokBCjD{0Z0RFUFm7Jxl7LKzP{cRwvryxsx8FUUfyrQxXYZXPiM0c6Et+Biu6MmSwxXwLKFcTFJOaHrcn9FLAQEPPEIBtPGZKUMTVMh37LgfcNU[yS9FG7KNGFN75dwjL6hGRKTW7vGikCn3gUcts:leTRyLt[Te2RdLQnv1rEd,a[fCMuom3z0mNCkCQuYID75q9o2tNxSq8RBDax3:OSiW/4+4CGZMmWvgTybsaGurem1tQN+USVV[DlRYmeVrNVUTE{Ae1ItoBc9z+0IyAeJ8QJ5hRcdmMNxQk77PN4/VSPbsWD7Yv8eH0qExveztN{p4R,QjKpImbKlFdjJI/EouW6vzaSYVvvlk6FeC6UO6dIUUAm0nKYF[4rZZAx2unTKEttdViMqtP[rfGXxDxy4sRXdpNYI6Rx40cuA665jvxPV3n17wOG50L:zscKpg1vHIFrJhsFNHlwARq06yWxRBUe4k0ki0wHQVh{o3NzM[TY05SSVDFif4UFKXNi8dTFAGkchmHRAKGDbCZyUUQgxjS8d7EzQ4IysBt3WfoU8YWSLrI{zZrDYexbrgNxBMwKWBnOZUY4/J/zbnOgg8KCBQ3iMUtp349pg{yWcHenz{f9nVp3ncr:NBNcWEHpn9MvK2jlZYzSzqrM1E+iQJMN2igB4hQgNu4sq2yUxDt{FISCB73Qilut5xU{I7y:sJBTezfc0qLFjq7mDmwrjbAmP3WlVw5Bjp/wfCaTcIo,/nE:JmSgVvuBXN7IYDOhWb6OZiz8OyOW2GO0yBDsBNnSVdohIgx{d51nzQf9ZG3F/TusMu/yDKd7H0IEL{GEwE9WFr+:YiwReYxJLrU,ckC8LmQ0m3Q3J3qJ7Bc56cc[XVVmR,eBOq5DbLdFUd9uRCwbnueEhrH1KiAUksFFpELhnVDsVzsGITFWNXuCBXD98SKVUWK0GnyWiRY4jx4EDnRIT7gnY9E7B7wg1,0ZjYZyrB4,hN/VWJ5QZHyWDOINsX3vg9Kkm:02sv5YZHz,SzcxQFLZdId9vLs7t17pe8An8sgyfoOpo4eJdnltPE+N1I2TnwvSZIJpvJttsEIqqBJmjQJyVddQQ{mTqsCv3FH96t33FtnDnrY0yIcC8Opfm3c7Q{US9K5IVOw0oea:sCY2n3AIieiOgEUDf2D6C[R9hf/4Pq35EV68mqwGI3zvUplhlN9Vi{QdmwN7i5AbeB3{XEfTQjdXBzzhbhcj6FY{RleKp,3ZnslSL19n5ZFNlBdV4pwCqfmkIcM0LFZ{/GMBKl4SGH0jtlf:7Xxpfblpjjerj5lCkFqyDPQK7,umblNQ8iunuVYNslBOZ[b,41goC5f0t00wEexrQPvQ131LAoqxz7P69lM:Uc8l7Mbx/ish9trkdqAQ5bOzbhsRWgBEEbkP5dXUjDgliFE5TezjqoL,Fsy0542LD2h8tBZfp0rcfwZWL7jtolDzzxpLH{cWmeyvB9zR1fod3Tp09ytWv1sU9pSQan6jdWYS5UaQd0txVhPNqKEOoxnBNRSwN8+3GPdEJ,T6Td8:alZ{zVc,ZrQ6Z4bJT8bFoWpyOwXhQOzcKPnr4[rVGo1IQQHhvedVYnOjJhElDPWp5QPHOfunzm9zFgc9fVeI5uL{bMUv1wXRUZsp3,BPtwnEdWp,GIn6Muurzss[fW4MMngUiY4vehKX8UJIyvcikRix72dKm1s1YeQ3Sz8SHkdyVOS,A8CSj0wuLb+Bw6KDfGj:jSGpGVmqUIjj1[AS7iCIF0cGObPV01MqKZPoId+QiRo[gzShwMdYlTvb6j0,NrCg8KE:k[XyQ,tKRovnQniI4pE:lu1PCOYLMMxMM8atUFf8HSgYP7AxD7ZEZpLEa8kCRPnXsTh172It2m/oVYfchXFDaYU{QsQvMEnQyuJwP6m,qoGqtpZ8oL+zfnygjueMygE9CuhtW8wUWWriQvRlh1DBLnYYGQDHPyyOPINUe,Ay6mSesoj19MEFnLFCRxFEFQvHgNFGznqbA{uEpxVRoBekvbDYthDS4{SBzy93GslzX6AXw:8WtYvWB5/6StmNer1ut:eVYbVBaJzo6:b,W1by9oamMOPnnbFUjLOHc7POqCmrVfqkt6LpeOMSmKOLrcaj5D+GCdCg5ub938sBFRA4bwv6qhWuRc63hMG[h:jcnM5eO6JYmPQYcvrZrDD4Zj4whRG55z8IdMaTWtlXO7b4lWcj2MbNIddbWwmdfwKDUrXoaFP,eoeHBsSSGcSbhxsHA9SGY:YLg1c2cvT3WRjgbZ2TCioiiwlwGClUGV/lpDeUFLVwBRyRqwWI75HEE9YBQY6yLF8qR2FnDIHVWCCBdGArelV3JZ1N22ivhim3CxnsZLw23PrvGR/6OXCOl1pThrph/pnBsucuJ7bJp[7VulUyZZ+HYzyxZQN[S5XOiXG[c3l9qXHu7oY3BDnP2VQnxM9NCNnLfvNqXT8LBIKRwBHWNmKSj5hXdWa{9KwLKm2H/5eLP:4dI45qt[qGeyfMdzXRnh5MMqZ0TVbKlPtF9SkI1:Dk6QoDbp7K3jErgPgNYr5Cw3JM6vIsQBNcrQi51lIOUgUc0HDuNw5hcKFTzYi7d9evV3V6iwWIIJjNhTOL26YZCv8Pmx6WZRFjXioFReQuR{srffpWyUh8YUTg9,ME2gWmmW6x7qTqj36xHQ+e8W22SxWiDw6RC[1WY8oDUKB5oSPdiVift,a31Nsc0LMxo2WDYuRVXmdYS{RwW6yV/WSzI7hs7OQS+mV8tKr1xQEB7cOtC47pB9PCr62,u4tUoXfSwPC95W1YCcZV+cgzwZjgU7KzN0CFNTSnoeHLmfEMscgODqqj4q5pUdtybjk53m7xPFtkx[8:aN9zZwDEv86INWXtk:unexYkhf+YRDWyl1Wn8HkNzbA49vAQ75sSAVRn3G9Siq235Ivq9QKnwSzE4tIKC6TS+VIeEnvvhyj4ogt2QFyM/:kj97vS42wvGREbDrnYEsQINu1[PD9tvogR3jZ:yeOKwqe9S8BCaDXQYImK/,oRXZxs5h/zh[LYrNaWgZ4S6F9IZUs56EahP9xlf{02ee8K9bJ5YvjpKnICsMn4S2EkUz4bkHGdLBVHQtUUhR5s32Y9tQpMkXIs1yfbY5Xk+BPfmwh6pRiIVDaPb96xmV0fm{trvWT2tlJHdrbXr[4,HZK0GfwV8mdFqyTEAJtBJXsziVRTO8hI+6vpLhXEx:mOP8u0VcUv4QngAWHJnMfHS4AyvtHuhDRjMkMBymhHfb3XK7L4gn516nw[mr2:x7T:CopJRpFsHoHWA4Du81sOgIRp5wXNerpPHj59d4lhaHUyStc8oLiYnha:J[", "DdeQueryNextServer", "GetUserDefaultUILanguage", "l&#l&#l&#l&#l&#l&#l&#", "l&#l&#l&#i", "4@4M4d4j4", "wel,;", "7 878D8U8o8", "Sum97659aa52birkheadleadhebe", "USER32.IsIconic", ";#;);/;5;:;[;m;y;~;", "SetCurrentDirectoryW", "SHLWAPI.SHLockShared", "x3SG2r5QpEKqIrNC1e2tmbtzu3eqZEekEeNU1rKIPvpdYcbyOM9IJOwKVUVMbAW35RbRtBDAWy{CvwL9ZgBtqDX825B5hP3RuBMD7ig0J2wAEuWS266EvgxV{MO3zfIVVujjqC2IwWK1qtTeLqHW77l4s2X08BNtfLGfsOccl9jppTCWj440qjCSJ/Si8j4MxrGZ7Eu7RhlDmGJPmx0HsaJc0iwDyUKcO944Pewefu0l14x8M9MrXIEGJxmwLImlqbMV[1gXMrIxk/L/O1eTUe1v[TLNQ1VQoEIEeZGTWh4AyxBwctxdl7sFHaLut9H4V8b6t/CpwHWt1EwdIA,c8+LVb9tx0vvoz1uFRgxPcwYUHlttWgxD9ZGHSMb/byYKi1eG6Ux7diTHpf8OLdIF6BvK23qsIoQ7UD,70NuIvA6vkGI5,qEr9VVfzGGyRC6bRS{6C2[OFrcFrBQc{TcQV/KJTT509lvYz15sHu9G4rX0fvcbfdJjOLETRRO1I70U{NzxTw4XtpupTPxOg9bAidywxT7n4CWfyHGzjslARGqD8m5DBpoXuHtnLVjr5pP/u0wdwYfNoq[hINh+Rq98NNEsLwOzcezZvjN6:qLx8K0FpXOvUg9i5ooimk4I6f56b8XE1xbTuAyPTpPD87DTDwvor6RsLi5leUT5UKhzYzM7pLNmVJrRgtTj06VWyKQcs81njW4XLRVBqKwWy92XeYYK3GiTHdqQ08ihsR:Vi0e0FoUnhikXiPCtxohzwRmbXj,N7IGOLHRmf8lBn6GiprO6dXqo24rA98[NFSSbB6Wp4qEtvVtERI4hSw[6yb9jCBXzp/96:MTtPVGOZcHnnGCGNDy7u3TPlFxKZl3Go8B09cnFXJGrJXoJJ8KdZV,159bdVJFPMgLR7I6E{EJC2/51La1rv8BmWS{zFmmht2G3dv{N9iuhgM6INyJTf7N3jsMOz2:4eK:ZyVylQXOBQD,1re8jzMn3dzeVYdoFK0T9rcurutvgedif8eTUOaHrH+Bh47DDJmcP4BvhvKBIHgSk,o3J[5pAy1f8hh600b{iCuD599iLGLe/M7D9OR2XwSHs,nGDHFo4BJIHv2x9YuGYu5DlrQvzBCFv0eJgpcgGXfDL5z5SwtUtVlwTgwgp4I3dkU,k,+NAgoID0XhFnxZlpTHSFSMAr2TJ6lCegJFCLb1nqF5AzOMY{BhuN8LkxBxA3K6VihJI1bMEmeQgJNIC4ZnTuUIZnPv1WaeJHx8jYtW3vFC1{hKUHCKnCevodMcdxLlP5J9ELSJb8krUChi6JnjY4TEl4MouqqVnsYyyztprQ/uoRao7:uMeJeOw53,F,NOGLYSc{0JJQR2Lv1wnxDwn56V6kzPlMq6nHeyO5xTSBRZjtFdVgQhsW9HrgBheoDmu2hJh27wnlD6I8RMk4CR/by76KQHwdeYqgmyelIjf6/fhHFSdd/tYWtzUc9zV2N6qid460OWkqgX0oK3IxRKsLPsCZ6,RdEkQpzo1jq4RZyIYBg7I2m{ASsNSGkg6XlU64BLmL2xdqRcE06JWWZ0xw71NiYz+1SwBV0LHg1ZQ{tHTmq0Ox6lGhNEYVyj4p7mC,juiMPK8[9OFJa4XKVWyfH,DyTyxsviSLld7myFwFJ2wmMN+z95Zzyo1T1mnnV85:6NqgJsZNeCizUu8OmnAi3n6x9LAFNzvuNVlMOh+bACov/oyMefzuUE4bRJ0rwoCWh:H0wICw1GcUF6F,0b/C434:NV/rLjY7n:k41Dof/zcPMdW4R4RBv5+ZvZSZAqHcs[CqYDiiyX12u[+xdtBVHBdO6WX91UVso,p48X844,eiFRzgwyDIQUW8UxByXWT7nIVucsZEi[EKFqOTvWcP7OPIE[yPLfN:DUXOusUv3Q+{5dfBPgSXS[0sVoD{0oXQqy8MHob4SsluLuwVmb/xBjpu3V+[EOCGXeTT9FVlWFW{1wdp8u55ubyVLkCFR:AnfT3hhZd1R3FPlPS43S7pnX1V/fGHISY[icA3bUsCJfbVb749RtjnFzgh3:rxYnpsn3uip7zFOR7tv6bnBsSF4ljfFwHVN2WIAWbmgTOouHeXarnm4qGU3ffIFounBQ5ci[h,kvqNiwPyCHxppOiU3xrJkzGuDzU29e0k2tK4v,8WBmJ0V:qyJJ0MXWv{pEtzBkMcEno3/Y74f{qEFfQw2pJJybhPzS3GN1ft0GwV8y6:a:CkrudTUy78a{J37doGjMnupz7hjEowTOuHaDcLmH0{V{cMbmnksTMxotp6wgcwcxnLHnW7OBod2RWbX3fyrsNH9MLwcRHWFbCtuKvg8bFF2gp4clEMOIKoF,S{/dssJRXFkiTBjQH5EeH7QdmbObhL31uRvthKRIJI1UxR5guexqerB3KMLv30fccH9c1:CsfJhYfimqqOhPZdocG,8[f6pOM:FvWCQcFwzpJTwyIleRYkvScIc865T7SKzD96dGnEh4xFiBUos6QgeTPkzBAFm6fZxq/,BLjDoCANWGYmlnYEiD6VbefgGl3FjWPVnm6qv0CQ1InIeL/L1Xgzx5fr5[AwYTzM0na4hw2UEVrmHETgQI6g7kLxB,xUeM6{6kqE7JzFBuTDmDV02uD8U1aNGnE[7H3XBrow4WHv4VBOBMWy+d8[rYG1JXST1G73Bhz8ICjNXPUXh6X1ocR:8CfZlRWLOUMuPUko9SohT,tisEENbOXRdrpODJPuW1D0cZnDlpDOYTkJorbzl9W7Ez0uC3yoAW27a6Bqh2Zo/kgVpefBvQ1UfPBlf0jkDmjL6U55Q{h3ytqXYu7Zb1fkNSOHAuJ1hsnvFk4WsYfgfSxe1MC8EjdYds1qGRHbvHMGN,V4orsg2oniqNOc6ULxy94QOTbWju47NCYnih4:O:CFIscX+tgkXyprsh4D3,/n6GCRkHMf3L4rUP8PiFYeDNh:NlzRBqcTtVJXmirDoQHZGFLT3eYK4UWPBuXSMjbLMFyNBNT[/OffVNMLi4wqaPFhJTf{Dw1hsrVbYrBwZwndzy8RdVqxWh39u5FMCQfO6V8nXJsqPWzMTD4f/iyQOkz[yzZfLN3xdg2sgxIhAhooWBDcP4fcw5pOx1o8Sg0TFVlsa5qFT3oLyNZlcXjzmxJb4DW,BTCiyR44lHPeZqzvP0BvP36hqpQ57mLkwqKTAv4KJGyXuHdcVLTwxxvlH2m{QW/yKFI0OkZPnoHwrhNVIX3hPB1I9E/ZANhcIC2EU2LDlvX4xmqsDUjZv,X[L5ieghQ2v9YsKXIB/cp4vIz[GoeHK[JghoFHIbBxjvP0lR+7WOzmqbWOhiJtz2fgLSy9vBfX5jLf0g3CufexuETgB4yF+PTYD4CrUUmxUf1dnTMO+bTKKZI0toB09f3HqPKEdiq4yGYPdgqlrO4ThnKcbKJzQT7DRGl[j5xwBwy1pxpcqekrcvt:nH5EuMMl38hdS{xIBkjCQLVEBX3QzRZ1viLjNdTEiM3I0NiCnKxU57TTt88NKpriE8QuQVZ5IX/Y5UBzs,U[6hIzTus8Kme:DMY3CqEGb9msjiYYXo5bGQYr83Tquz1,6O+hnRbMBTfEDR1lfNkH1,BwATJjr9RwWo3OKdHQk0QRMtHZ1dvjwb2DM2Hq/1QMlT6:Bjg8yGc{7m8oBdIlajHQEMYo1HpOX2StmYIMWrn2BuwXWCmyxxGouGLIbvvKd76kyzX5obZFkKqbPjYxx8B0iz4:hyQUBLW:rlsqGkYdWeZ6EMNPzu/IoYWF8[YIhSJ9S,cH+Db[PoR,cMI4JNdjJ:U1n[Dy18/upm9gQ{q{2k1FJZDISwfLjkPFnhi4oxixZTH:usgqIMc:CBY2tt4tRbl9UDw4ZSAkH:B0Won{Z9Z4i8c8vQD820IlG6cw+fu4vYcS1hm5iLDTtXMjUIBD/rn:aHexN9p9clA[zhEX1M3e8ZZ3iWKnXH/:iUsUXZQ0yD8c0b/Micm[NeKPKk5PL14VKkPTnk3X1Yn7uy4I/jYBuO2klzGIakPjb,B9GTlw2{7S7Y6T2mrefYztvQdZs[MxAlI7No6l99OHIFSN8:xWV93stpastrKsuysk9RhOa,gDztfs/H6g+4Ng4xnCXsSg8fRUqQKIrgYq/rcnoqrN4yksiOHsx0kte2eThYeNk8vxOXj2jnYdkXKqmq0W3CtlBfUKhw787XypJ[PeQjS:Ov07rEneQlpd8OxltIzL9:iUkMvZ0lbF87x7r[G5ooxx056:YtmLPU3M5C5FEkiW5maPQQKYdEUQ+WoBKJRxcq6c2paMvZ7f0:j:scxeD:XFj1oEKjj{OrX4u[OQd5V00FGIKXMGGGMBrnw8iH5TtYsNKKK46TE9d758+cbMJO4CWxHB1[xb9PtdGVy2xS5psqp{qU+5Cz+bKCb8iR0nZ3e3FsFxY4FOdn1:nouXWtKYCxPXb8vIMdl:55kGg2sdN2R4+rnxlvI8dC+vET5US26,u8F5gCeE4kn6Q4PDTxAPgyRskOF1ptaYoiTOu{gm/ML5bOTq5zcE4k4tacjGUpo0agKowZ7FtgcqfUdBDBA[q49xupK716TBxho9KoGZVdwili7pbUYDAEW49Ut4fFc1XNjmw4Vdp2bzF7tdR2EBkwlOY:tvDSQo+{NVrCyc5mUMVGnbHHhhsSsBtLaKmxAgUYVTYrCSzUIr7Wx2COylsT27GoYfnVd8ldlDZFiL0sh6LlpvK7SqEEO7R7QzFqtEVcvn6YePjcIGQ2C1iUKEph7h6YKS7RoUIBfuzluVJTHZ75R6xCDzc4FUnQTprNH6+KXRekGub6uzKL9D9s0tkG1P5tlJhT4{6OWzxWxhzKBDWEYJLcpY/9sLqYvVU4lFFnzfmgYb8tqYbg3NM{gfQlncMTRsaIzESTqXXHg[Jm0fs:mSdJ8,lJ1QJ8WEzg2hpklvAJE7OG7t+KioJ{KcqiKtt{/2IXlxJz9hMFsGK0rf/wpCC[g{TntsNjiVqyyjCuQTvFG9XUKvq7kd/D9zEtid8qe8GLXz6:KwnMR6Hpkim40Oe9hLWxfK55jz6YjDfT5gVGiDu0Kv8Jmd2nW,x8+2wuFXHKYvvHTQbhgbOoEFR4Zsx4Cyj[TW0ZjSqunMpe1tjXfP2BUZzrvllWVhruNFqx2VM,8r6u+I5PMRID3gdET[j1Y824ZlDKK{FU5KhI3ntOIGOos8jDWiaToIEiMee9+:ez+mMKqgI2C:qFY1iBslVeINnS39hNB5d504M:VRAcP{0mqipXBTEm9SV2TKKL4GZIVXKO8SDfUbj[kGL2bslix41P6q/WR9i{MB99XPnvaMlP4LjSXUvw94yBWuo3H{q,6Kg6Xiv2fMSUGrTUxbYjbOgBfPi6kWfwiwfciSxnh0lMZ8dV4pq4A{RQkO3mngkt61zlq1/KnIePfzokixC8XOKySGLw46K76z5qVbKlknNcIzhqsSdpM5r:EqNVnvVdnCORQrsZsMnY6IgPMlQwPHely2HuMeu2skKBRcaUtLs:1BH9Dg8T48AdH1nWdyFmdhD{c6eoPLcNkpeQVS1eyY9OeJ9Wakl1jVzF7R076izsqhcERRdoAVYBZ0l7S7tlvGM:WZmEGMXKQVv310GogMcEhUw0c,Bq5x05WpL9YpHLDe0{qZvSYCE1a6a0pxolqYSiekT[Iz5Yn20XGmDkmkUwUCW7lT9nkqfzic3ghm25YQBjktpqf4aGCVocr[nhYuAiRGOEtjFj0Cu9QzwMlFCGjTMKl8n52Go4gX9oeo3GSch3LPtR5r0Op4ghiccb2fQqKOe2liEUJ2wCqelsKfBrhbVCzfv5GY6sJJoNzR4VW1GFunmLGyZG+PYjpiOR+2jLP1Tig0LFIlwwT{x4SVgbSPKfv3WOD7dzF7His9ze9jwlfkr3FXQ,1f7DIdybM9WVf,yQgY/phlPQX5SiiGRY2n+cn2JiI1XLQPzlQg9jyjY{WEMtydZriEgjf71s88exwemZNZhxvR7MGCYsRFJBhrkghIDXhh+vA9iBRs0r6eBzpF8:vF4PCo3pAcYPDImwUjtvLisGS:fqh8d9IfFgL:M:fbzLWv6pA3w5yeMVyeLWH8rhh1UCsG5UqvmT/MWhyYZ5Y7s2bQ+CxrieQPc{kr5:Hmjl41pwxrlzTEovwXFO45Ku2[g9fx30/eGzjFp:iQgBg0TcKjOUxmyUrF19WVV4Th+vVJ+QeBA:v4Wh7[SIwow10XVFNmqhpZZo9lc4jsr6Fy/TIcVue0u,I7pMn,8KbbjtmK4[nlAIn3uGGjz4dmnw3XFt5LgJeg11RIEUL3Pv4JOWlctxAnCPR8m2afcFyKhhL:Wv8KS1MkwdFdK3dUZlKdxBgC4pI:j:a3vhr04jGEgivPz09l8v5cwgm:m30ZUzgdI1rcx[o{yDpvRORpk5wfWVwGSg/r712OdzsJedWQ7Zzu5wpJ0bKlY837NyvizXWQhFgqWEC6nVMsolC0SUkpK,T4r7QXqBzjsBHg7la3YtxBKss5tEeYODSoadJvmowKGELCaRu5ZV7,rCGncOUzhkLo4D4b7tgZYcjhEex7hbxq0iSuUhm:a{ZWbj700hgPGIoYATEGLo8ZcesGHigCTIdtZjJeO[nEuRGo/bY,ZD3ocSNrPw8MgP3gk3wZIqlLl1GKUenpteGcAxl3eQqv0PBvmmV6S83ntL/K0XMCH3", "7#757F7K7W7n7}7", "2SI9wQx1xfY2UrIWzJvTemNChJFpDGszD4L0Jl5RsuAcu3sHEOmeT4SGmBjiUqZzILhpceO1kDww5t+OKihbeSLLhzHbs1GHD986C,ReMmsJJIjf3ncTnt9bXPo,vmE{gPDz2REZsyx27Xs:+M+U5FghKEjHDP/NTUBz14o3SlI4VZL:r1t5MWh58v0iwpHrS8NktSTOJjheWXhQpd97E4bHtHUN2Ko3CU6olYm,6OEUPQx3UOJ9Km9VMd/pjFGqX651VHgLI3G7tibD7qf1T867qcY,4GH42WjVMS2Js,7Iao/lpMHuuliXcD8iOvBSVo2G61PzxO8JyOe0bFyX4OfzjeIK+c15dF4S/KpeWtTnu3kmApRpn{xDMS/SO66P6YphFLRpZfKyBghoL4w304IGR7o0NnKOWUTd78bUuLBKLG3bhnH:VchJCnmDieI5SJ81JhWImlyVjECF+uJLQYutOEj6Hv2RGxEeIKVf2hACQ:En8w6iHVW7mY7uN7edc8wMMH68hZiEnIaZfgKMz6p{Z3j9byPNSF2:ckyt2R2[Fu5bIBV:EtYvuef7RTxbBKBmwFQu2[B2L4ApZfg:bO+b3nfz63EN27cL1Z/kp9RzICFPuewWCCactEYWmJ97+pe[St5[OZw3tJ+VTksIcPlQD,LJjnJySQY6RMuIKVG3277Lsh9xQxKhq6L0QiOnJLzZO3sRwuUkYirCaSAweKA1ENtVpRMwkp+PmuUr4Br:xTe4cYVwJeqwIYhXn4yoweCHYkkLxtjPgOFEccuoiLNrKU2r8Wtn7g11cL76fMplBNTYIkY4ErusYuVMNgrYmqEYRHQnir/BlnyjyUTqzmG:5XNVOLSHMcqwKrn3FKSTw7ruKOHI/Xa1xqemzIY2LeB8axmVI6Y53idUbnEHLg1eyBqSy5bRfytbx{rLvdPwP5DRwGchuwMxhiaoelOWRDaKqGcLWfLiWLiK8EwnxmdeCIs0Kt37JuqtZcAyy5BdmIeldQiVJ1U4nGjkWI732YhILx+ltlLSqzE1zHEiwujR9cPf5klPgvapJ:wrctb0LNsRr8iIPZx:e1g77XvGI6B6MCM7IRhrKrxrz[0oiw2u2gX3KokGwP+7GlVr9naKTM/bIHXvoxZRm9s0n0L4PMGsJQk1Nhd9cX55em2WOQkVBFQd+k6owJxicp56Mtq5/ZrEJzqzwbZKjt5{iKIDNfmyLUVbAmwLqll3t8BxIKVlfBF[50L,+xr6T8u1KfDRtuPEjTovIBC14{5iDRXbNDDjj4eW6cBB6LGymJhLebo{WvxKS[13eSK5WV/KejMj18yXyB0LeeqIVDfKl1qo7U3Ufw/7IdK5L0gttx6guxAbI5b30y7TaXNLTykB0t/:bcg:p96C2Yp:mLdDy5rHDTJ,EznMwnLeN,q[J{UltqUtcwioFQ/bHBw:HHRU4czQt5scfjqdgt7uODxpG1FRw0w4A0IFJkfiwz0{U9kWVjFYn5PfDhduKYzM5[7SEb07LBzoU[2:xjmuTSostworQ:FH8fhdLCcrfZ4PhjcG7cVnUt9EQZQKo[yL4XP2ftM0+xaFRt5NxXX5oGaixiSov1nPLCy0S[h4A,HpnOU5nYzWK1u4pdwgIMt5Tr0xHRIC+crjjk7Qd4oYbt7WlSd[zRjI0FBQyNk9/0QFRFmp5diGScc1a3Rcw45IU1PtUPxjNGFHLPqDVEZE2vWZpzhmO5vQ4BaD982xzz5SbkskB1g1hh8KY8TCAd8wEXJ[6BnDsCaUysxoQnfsNyHX18uIPK9SkhGuep/GxGnk2NU8kd8lkKErEIQC7[N[o,f2ln9gNi3xIYmhSHMwOkh8KRcU7EP2FzRMY:PR2yuXZYrsyvn0hjvhG:Qnd,leLE8lAjUo71QLCKGewPrR305ofYj1BgdwkzeEeNzz8QIEs6s0qGMuHUnuaSpm7:FzI3p:/Uf5gZ5Xy0DgotvE6,Y{tPMjuCn0QEXGej5Jm7IvJNV3BwOyddOhr4njUZNkx0ousMLRIltd10jVorlbp6wVHKH70zyoygrR4TBsabzWRg1:dH9cG:9etDJFRHLU08kr9X9bgZ+hUYW7VXC8UsOYIK8:Ts3hTBckeh3sL8h2H4Xz/3fQrweU5zjkFRtFDRu8mJ6tzz+nytbUGK/,CCltJfJioEQzPYslNLVoxk/Fnc0L5hUvB:wdKdByZ5Lg64n5/Zbi7lWY8vTDV[1tvZYHSzx[LW7xf2q5tY7W64rgAQ6WJr3[xEqSiCP8Ofn5eC3OL8kf4rl9gxUJrSO9IbJx+yVNqkAsKN5[wXlqv[TFAkJHv9Hmyi4XAReG1fbWq{Fc1Vt0y1H4c2OCV0c7jxR4H6YEqZNSUwqgq92YtDKm6wyHe1nDRg9rx:Y[0HgXGRq4vJQ[uOAxFbRuJPdbBUUMW86VDCmuUTrQBDUBf8xoJOY1dqxKuffKxQi6z{sVlFlRr9HwEZW7MHBz5v1TD{b{XfbpnHntVvcjgJ8wuqhioQkg0fOW193gAtul+f8hi5SjfvH6b3ntaRmExtOfgZb7rGeXHeHLlj5y18oVCvVPbeHIBC6zOm6I16T4tk5OqRIS+rwH0f6RdSyYnsM,QEdH1{oZ3g0TIRYJ8CFVP:UiJql{nLikuwmID4p7cRSpZ:P8XyssWSx7sNcPjYJ1UrvEcWJE/3Q[1DnRpmvQJFUFCoNfTGS2m{SXmxk5rSWfUdwe+su9x2iJJi1CEqVNjlsq8ZiBY0m1Eym77ROvyTbyzmrmMfuHvk+h6jteBjX0szD6SRT2ZJ7CrOUVKfF4hkqrLv9JIbdE9xPyvtjuj7gPZeN[duV[g4kjci1h+tGn1tFyecKjRWj7pO3yaS7WKPSRxBf0gJHbReYOgjtRxyhJ+EkQRc3zyoWJa7Tu3ygZvPS9LGp{aHRbz2SKrIFDunGPjRsHqHtXUFFOyho4zJduVR2WrFmyjf3jJyRuAWCCnyi6xhuQ6TW664zbW5ni1B3laT2pvFUsmzkNW[gIQnCLmBF1n7+6H1j0rDD8JItHMZ+JoXiTYd9u3XxwkIZ3hCMe1bTcE,ddW2LCgw1MIiHedVAS75xZm1ZK9mPjHfX0/0EDFc8zdSL4jJyP8JF:nvxExWJFm1kYRzoCGqjpnXdiXrww/mw6nJH4fc2ff:aPgU2KAs3kQ2bwIEN9mNuJ4FLKvJu0YhXvueoLcMQ1HcTGY898nJU[8o8xil4GawK5Aq9{ZeBLmtM1fLCib:klINBLJs2ko1bUgl6wMKfWT9qUrnjRB7IRCCSg2O3wB4+8WpKi1xs0rwUNU4Z7Vy8DytQfJWWnamS9kcbbLgBfuZWiVH9ZGOvT3PQE7Vb3nZJlwmdwWubJmwrRb95nv3rhIDJ8Qwy0CF+oXGZbYKtnje06nzM9eC70gk6,iNsGx6sFw:65+m5MaDWcU6W796mW4DoYwPwLGL089GaKvlZJ6dzDf6wDb[XRJpM1p9eFFen1pBqfYOOcSmeXBVpM4YeEvUfYjJCQK1j:CIwfncXbyhcstWTKbrrPVr/dnM35KYURz[JVnzD34GhhW30n1wkbj4LTC2gQ1bfpcQfeNnICMyFERitWLwUHGL1jRcF3QGrSuXdERFIDSmibvruUMShyJ94EHD86cKEIG1boYeZ5MIjMmQTuqXlPVPfxUQQnU3wMVJV{txYCfYXbO94VmL3y7qGKS0EU65mNNHGU86v1ripY3vWsZodUNHOR+pVmu4y{Gg7X1RJ3FUzrfwvE1vSL10Px77C,+Vf[mrDuuuhSjha5GFskP:JPrsxIJIFBPgWKnjPoYpEqZkSfJ3nmVJIgOw4uFyr4OEH[Dct1d4AvY6D5Ee6ZeFdt1PWQ3NofwdI7LTHivtP36kfN4,WYyGlYfVuZCShnG8P{rUENuGNYH:RHXSeGUXFOIGhlb0As3msiyNJlzLMoKe+b9N7H43m8sHw[sCPtYyZ4eQl{ZBMblNnwRCopGr2SjDyRsNoeQhEHkYS1rlT,TP92FdwjD[OmRxixGwLTy0RmbgcCPjE,SQnCMyTERk7EJ7osnTJ90z2OL36eJ:et774I0uR5S5XKJJlbitxbIQdgfmt2Y7f0LV0SfL/HWpmYfoIu4XPIRgC8MXpE8ZhpsyGRCNjC7yimTcgdZnvLxsYYMJhZv6Ug8zGv36HhqlV2ELXKweebF2mGCtJzM1XT7RJS82/WPqHFXcuB8KFGW:QiIf+:M01sLDyC/8msqLAP32lMIzbTHh3LXw3QmbdzxZmotxhLwWdI/VUVqCRmRdKf6xC4MFGfYNuv0ZUg9C2oeKbygSjmKiEP47dtg5lf2miOF5yK1vBkCEBcTcEYq:wZ7B6qcmh[LsXghJDWuJj:9qbQw8CMBLaPiHf78ZAjCwVeW3R{Z,oBCDQV1FWwVxBTjclTRbht+LnoCyGyAJ1vn0Tx1jYR8g3dw{XQTw75i2cLGQnUj{38RpYwBTdi9ichzMmeiDi0FxqC540PuGL,hyGELsEpfttjdke3gdL3SUvkWucZAPVIl6WxOnN4s16cKsVQnUsEPjl[HHuT9Yu,qO+zYzs1bqk4qjGg35AlQsKVZF/evS+Dhltyly/Ikiv:ZydeafWHv8PVKLorUol7WYfrhfhv5xwk0S7qFkmnB4ZSF76JeZ5dztEEb3RJnkYpwRTb9hgu2bUQbsSKl8x5VJzUHUxFP92LQtaUcz9d/9PLaFXcnoSLQRH2b1JXaryQ30LZW81jSDfw9kW7AhGqapdxxcdbpsTgVb5sKPmp91x{acYzFIw8VR513vcO7zAZQg/GVxBnYtZhxb0nbwULOZYmm:LmkzcxhlNKI68cL9LMONACOlKWZOP3COuzaqj09TmtIQlGW2bqjVgJuDeC82NBPPkOg7+JQBz3t8Yso3SuLSHL4:Y9KgOEZtAHpNPX4CH1vZzmwnRZH[eO6o9s8byIpfgFn9zQzGZZ50hy6[B4qI2tamaquPxLlKUZrEwY7LeKvo5EZNjs+bkyjwJh8ThB3vX1JKBf+j+VlhqT+uilgnN[xCtbErz5xUTeZtcbE2pDK76umnrGuiXoRFmbNOnjzTHVfbjUjv9hwe3sG5wK1Gv1S0PtCJqKvIHlvdJZum2LbeUMqmrqFyNXlPUDUWQtO8cW/TSOW[l6BFjLX51dLtzMpBpCpL8PS5XDhXKdltBBdTK4Ttx944gZvqJ7X6gxN6gTCijB5{4,bF1WsNsiAe+qFBPUS{ZRguBvwxGdU9sMZSrY7FpWNkZK9udol9uxqmRlIW6xsW4fNTlriH33SuDx1:0htS3YEDlWOfUqf3SgNeZqnEc{M2/gvQJxU,tETCwEDSvkXhMyQQqjth4SO:x{oQ/GUCH{YqaX0m/nhhhniJ4vHntJe2QXE{sFedRWBB4byvVn8uM8pFuifoK2gJGHYm3Nuz+KcGaIiJ/tOJwrzkpDys7yElwZPp7,Fus4MQ+TlpeIHjrDL{6gtT5WDc7IEcklIToHwL7R76/qUUlpoSEDKoVkjPsGdskwxbIwEc1hDLi5BT258JAOgpeLBMAe9XuOZYCs28MDZJ68mvMBGXts3ySQv29IeTYLFrjTvlA5bMPzpzoOeGeRqErwiXaoJ61LbovMsRehTuL3KciNKsf8fDiUUofXx,uyYWdqXRlWVLW09JlYs:ykjDtGQbptNF2pLtE{fBRfEVXYWfr,p:Jg+9T4T1Azy:IUcWFxy6wrz,UUr:WpAzyq08TqDzPGQD9pQgKluqYcOWN3en0Mp5gOwgEMy2H8jRl2A2bF575eLNqVt9DLsLusjqLoDiGhfbG4Nd7xdgXbtdjOZlp4ovHrLBmiKy3ZCI0Qz38uYv3CvV2lSqzKaVrbPGYQddX[ISmt56z{ydmmtRuiGdw{tLl[HhyZLZ/fnokEWsmwMosKn2Vc/FKRHOE7v[2gf3KUL5EsOjhMKel:DRExK4oZfjbbYL/u/lA25tgqzqkx9e/3bWj30kn2fHEmv{RXKK/DMwIExWKrHT2nFgED1ygtkhobxFbLPM0Y8pRFFXATT7VO36VTArfdU1WOKXxKeGRMUwzmqchWDJ1vSQcD1hJicgdRFWzPjdZbRzmQ0eJ[rowTBDs,mC/9m6gfzjJlSoQws1ptwfunVYq{VmPZHCRmSMWbM6dfx1gkHv+f2zxrCdxMLKf1a:zfTPtvTIjeCiDGEgL,/PQLqkXYd[hggl4kGYlUEh4Mv6u3+quWweTwXSR4XsRiof5HMIL4U65eaq8gwRgMXPSlpkN{1m27Zz6zwXRjGycJFCl7aIVD1qQ6ikuqL6y69VbiXcLKQnh2wL5EPQ4GaWh8JV0QZnpz4FgFzdJoUhQ3oP78FnA89bX0nCt6p46IeWLr7pP7RGMoj954Vdt0iOOJ/:iEV[v6HOYcmOfnxB3FPOf2vMr7E:6BsMgNIywcSs3Z05gpI87boBAXwys{M2+RnSRGHVNY8N9MKOxX81xy7,uS21PU9CKvHCOncV2svVY7l,M6tH0kZNqv6B71CTGZUL5B06VUsKb8y97yFed8wnf[yT7VkQQdAlTGkdAW+G5lqY0ItRIUz{oe5qxs+wGxNq/BObVkeUA6z{oXB4MpKc6jy[VutH5xDXDX7pLsGhgEeuMZ/6stKYJSp[KZt4hUEMr5ludR+yR{GCxsJqk1ACs1751KeFO6bPFOZ6+22f5DKQ50fPQmdnq", "u s!v", "?#?+?0?J?O?[?}?", "SHLWAPI.PathIsDirectoryA", "glWP15xcm6:d6zsRUahNiBqz6EvG0R,m3w1wvEQOdqNfKkz56cJwtRxjngq1H/kxZ3G4N3n/bdgDEjPucBCDWQ9t7nXxJ7JRu3{yUS3TQ55G744iSKCF2WRKk50E3/XAzUJUmZ9YxpKg[JNWdRwhvRT2mx6vFbL+RmxYZv:nhB6r6px0odw766rPIubE1jL3l7UzTBL4iWQy[x1eFrN3QvgqBzVXstZu7pRcRRgvMTuGBvNw:0VpdrbQnrPZ8ByZ{LBlN+[3YyWpZXt8xB3x{MCZcWl4vP8QOsdqkep9yN[fmZnYkinriIJigdShX63H:+j18mQ2Bf8g9O2jV12CTuRWlZ5XXu29DSZErqmQdthvFxLDL8RZQsDa{BFY2/r9X/yWmUFvCtH7FrplTsVpNXtZMuqcOhm7I9QaBUQt[2u7frj/MczPbOMF{VZr5r0tLC3KX2hgeRRd[8GeJR4Z9MItIpr2PdjQh2ZU9PYuxdTKe+wqdxhbo3N85q5m6IU8jGp9SZglupcIcGL6kv[oMEfwHWSkFWYD,VYR:tuECk91Sr[Q5h8RfYsmqINO7R[ql4xpCFYj[Rsyl5eJHakZfBrBGnTvMURqQjlD2J3ir/KmvuNp,ACY0XluddlcpYW51sgpk+WcGA[NwFPnH1YVy6itI5Jnj/5HRXnUQEKz[Whfu8:scixH4c6r,jOkYQRSL/L/y2Se:Ts08IXx:f[YQXr6SdvkZKqiUWJV4ixFGxDEIV3IXCGQHptQQaDnFug9f+nr4V,DRBtb3Yh273[QVbYKWURf[2Gkmrjbwe8acIXBffFOdtG55twPDezRZeOT28pyWlHNOrPKWjVgiGPKOL1bddINT4Xvg4JsNzNlbYsrUJ5lDzHMo/i1KTGz5GvzQ02NVND8YipUQ59VD8DKHkIqgpYQ,G,pjEwMkDNiklY39+b0HW:e:AVdID8Z8D4N0e9WDgsTdxDcfqg9pXGa142dUmj8xvcxgr[V7KEzzSiWho4XniZrkG1X9tHqXYVzxPxrqcq7ppnEZxx6us5pXVJdG8Gw611ytNjwE8Y1DMy3YgjO0Kh3BHGsu7qquTDLNdiqrn3snEq2ZJCEp9y6O00brrvlpwuIPsW0LWkIyfBmez7xJmtE9Av9vU,Zew9Uk3jI58UV7G1yjJnyC3EtsGBbrbcKtw35VIPG[wrkfIGHkCH26dupHS7Oj8boDXlj76FODS8cWHYwo77Q8IVhBcDpXFbRXhjeIZ,0wM2uxmsIXTocgmNIMJ3Vi2lz[0cks7[DNDfMVpZ1WzwtZqNAqsnWo+gHiyqiyY24IRnLMCnBNDQDVBrcD5{9ZE,DQkWx5sJQojUuu6vrZWQ+PH1iqIq6LUgTnV2Nk1GITMxf:v2G4SBt9rtVvJOe49:KTqn1JSIOtN4Yxm2PgUhmOgez[LVQtrZO,f6j6miv3oqtklv1CTn+rIkHxioxXFyQ6tvev9pLYLHChoOa[1FYCBNuC6L9HJXfIS9ei1TLl4rSrlBxFvMiIEBacG{j:QWOD+qlvSt3[EfXk1jAHqy5[IWSRtfzn03umStM[eTIBluqmldvXDYOdLMli8OV7AfldsEMdoZFwrIuTTy08+61k+lEBTz6gmdPhOUsVhOOSMqLDqTtgWXA0ZyC27lEcjkqryMZ2j2letosDc0ErrNSFVwvlXLv:Wt2vGyytsGFemsyy5KJ9V0QYLvLOadMjc7QMG{Gnb5j:TiCj1:pcyx5tq2Nve[qc5m8Ek71,hu46vt13L4TpXki3JKSlXP8:g6nv+1/PeHA,weC6CfBwVRgJfpymC:SwTu5RtLl:55ap3jjk90cNK8Yve6twOIfkfegHvSKqhqgwpvdb/0+fYjxuSGwnxv9HOk2y3kibj{1udKprhnVNJ3YI2HMx7WO[GgkbkJjxM2chn7G[eHU2IzftlV5Vc4ADAXu9V:LUvO6NwQ3hFB8o+6pFB{wdebl7vjByQBBuz{x4Fk0tZ0JTq2j49bUJ+ORUIQ+iv6rio[VoaLAmP7YgPjTN2y7bSn2T2[5Q13CuCRECq1Tf45gYdZyTm:0j1B2ng[pYsFn0m[KUfKuheY+hf7p7vrv2qf/QLwYlR:f8vhQld1NwZwTnzVUeRlbg1ziN3rLw+o9[NZEJZGYwkYsK/bz[huWOeWqc4S63S1Kb5r9XbtoqHkaDYwordJqzK:tK9wEC6kNuyJdBLjeczxzmm1lzR:tI9I7OmyusNUQ0iGh2XgqwyJa4h3U,Wg7imfsNkTcKq5ymnVCHWbe8HtTWacE9xkVBWoVcRgZfyKxh4IOuzK+5m:65juDGj6sxiPKN9y1J7SY4i24tDNiDtbbiOUd8fUWBTH916:DL3gICINyEkNjn9HlbTeWKa[iGMiW3wX/[yfo84WDBVOjzwRn7eDw6zXbjsM0BY4uM4CpXjgzVt2C0p8eqOk55rS7LU{s203G0C[S4OHGZe8N1NPxRaH02aikVC2QCmko:HMfLEuP[ueODc5/[U7EdKmcnAPY11hsuoGu{ReZH/[dIJ0mgr2H5Xc41WYJ6sli{prrim21Lp2VkK2yPF2/GyX6deY+6voXOhY9GoZiQW6XtLOIObgYnKEhNoSzzUo40IHvf87uPsPTX2vZ7trczBgYqZO9otGq,eSR07B2NWLPcz1HHK[L3UXzUC0LJsO7xQhNN08xZ0G708dfVROypAZP1UzKr3hisFVxznkhM2kLZxH1[lL1SVjl8qto5aJrsA4bUHfk6h:3T+TC4zWi4ejvcLhX0oYupAf5rLXt3pxZyNbd1QOSzu0odS6yfvB3nPZ26TK6xMlcbLUTDOJ1LS3mIUggJmRfkOd10+ryqHp1x9mLztZcNPrJi5VDmxogIosnD+0oQltHXHKbLjCg{KsC7jgE{uy5YH0pojucsH0lJqqbnW7KOJdbYcDg{+3vbrzF3uk1zOjbl4G0[H4diM:Wh2GVZLyrlMyh:R[wemxOLvCoRWmMIyrXDPU6RGDJ7ukK9axprs7ZuN{dhJnkhANgfZMG4JPRvKxabIiTlvhNbFlDO/Rt3AySc5:LdAC5vG7Z2vqJfG0Dt8Hb5u4iRl973LRHKBpAmBIuor{6ii2sqEi6XdSwQgGNnr9ztTPJ76YyT6,43IozeVmR2IwbCc8j8dlk7XMw:YcG90hVDGPSLJUwvJbaREfqCzT43wMG[fLFgsSeXtFkWEJIPX:+vD7LRLS9vWE3z7Qn9CVCnoTRNuvDcloZ0pCFJSK3QenztmlEvKY52O9/EAsJtzfIjCPUej,WM5JpzOZnPwY9j/MEfozqta[RGL1wLp,/hv:+bG4dOL2pMvcr4L5JTR9UQi5lQVSP[E:2KyLrfEhJiO4sixV6sF{kQVxf4323xZPlhNief3ugFszQTcy2vhkkWvCUsxg86lM0k/LNoMsvcs9+6B3BRWbHIEfC35gRYnUi[GTlqh9wmCQcve1O{lkrLjho4qyqqmsxdPIE03Q65Rj3l+WryA9qtX,PU0PcPcbaleTQKWI8NPwNgq,hiFSNQ/sy90wJORmpu+pD1zYUfxU8IMlQ2mk7dAtXm0foIpbfHABR75{8exKfw1gUKFZw0VGI8329M39kp/EZMrcStBR8toKddzn4RbYgfZVaonBRFmD6Gyux7g{CkIRFSE0/n0Mt[8j/D69nyfVGS7qXmABEyVsz:UsdhYE7UY:g[gk4dxZtE6RqFAvkjIVJzkpOhCWiTdYkg02WY1nRSqDCd/[tn7GfF5eQhPwyqbKuUDDbGtjWUFgaMZM3q6nIfiSzH/2cINoq{G8I0irAGgD1r+2cR9TjutBoX7l7:Ob6vloh9MUVQiCONtNzjl9NzNzROMpcB5yLhkmUbKy8B+9WIkcHthsmEcQkcXEBuzWwhC4mF7LDbJl9bryiW6P9JvUzznwfKLgEMjDaJCO8XpCllcCneJp1BC5nQ/t049SxVkbSQJQhtqsUo7YYOVQNNPZx1KT+8oiCPLOUVKsH2gZEsbvPT+dw[O21PCQmu7N+qWO17YSMgfGaX5ef8NlUi5uAFS8SjCF1wvJMFZWgqfCRY2bJwRb3nhChgPUvxcgWIzjENmmYfF8VhMQYiVi9Z/NX7DBMda55Hzzo7b[0e+myFmFlEIYCK1Y8FISvBS1V4xtwZsuO[Yr6x0WWW4ly9mOe4lpb{fpvQxoc3je2mgXCXxrS,mUCEc81bdkqBPKpR82cueTi1L{DL0sBPOJ2kTOwIbx4zKufRkxtCSuj[1Bs69:/jsxmOl8TM/3FJ+BnlD3giZgCWALbUP,5sEqqS6imY37a1bZon6WO2OExgZUWk/mqDMm46tgn0lnM3TtMBIOAm3zXrdNsh06LtTJgQpOODIbJQ5rtPmthb3E8XN9kLZteISmDMG0d,GBKG+qGzOTLV1cH[hL0ZWx1WyOJFCy6eiwbIo6veAUnvWBcMZy51/E9ZZeEZ1OZVK67M8JZUgsGrgPF9ip2VE32yiNM48x9qd{w1cJq60r9e1T30d4hpmoyi3Dn8OpS28XF[wW3lPUwkYhkUb:XzDGrO2ZVepWOX4NptkigW7lncdfPnezsY8l5BMHmwq8DkI33joxJukHbNglRtBBCGEytUDWVEdODG+oa6hroWM7sYj,sd36hwHM4[Slu12vQvhJFgk0RG5TrrQBoD65+hlbbpsbaEAJrziT9F5gvOWFcQHyoUfMv[tB1V6M3FaINRQlNGDMoeo8qv0pm1NMQFcimpvs0RptCHO7mnjRE7CIsxRIyvD3SrgMX6ydpy9pVp6CocM9YxkJZYqlFiZn7JzTbpw966YjHegOyDF2w0qrR7LKB3ewt5D,elXq3XIVDHHyQSIJNlcRBoDMPR2Iuw7tqFT06vpgDjEx3WdrXVuOH0arpsvcwsG75{48ETjH6XEoFQOnSY1O8UUOBll{zoq3n,jwoLVFGsbsSHBBpuFBQZWlic1nhn3MoktDLXgw5coQ1ZeB+{uBDw5SC:yNY3Ov5ml[FXY{RRurdSWOegMPgRuqNRsWw3o9ovs99wgS5EBPZs/8W3DpJnvpbsBMEBAPUFmGu0ptdzvKcMR2U0d,OXsdA71G9Hw7EWVfgLIUySyZaD/eSMW:96vMr,K4sITn55YsZ17fHdm,+v7,gqYMzHR:FEOxXQL9cdDiq9zmSpNgAkn,9oBP5szhNwLx11cx+Phe/OyLbsx07jKyIDrF+KpS4RgkPzVCDCaiF2vEiVzPlqYwtu2:0RPzygi4HzEwf0b9TQHjtEoOXk3TgcahTZe3sCGwEOg5iVBZz3WW7wkiNIMrnH0ZuSagxOTBaU93fuzD4BD7yiAU9MT6yUdT+fdoMjVpOOlOGZZVdXPV7cfpzMrUnxewB5eYrcA1buh[TXZ52fNiCf9O+WYOQBPbvimSHNWzD1y2c1vfuJuQvwvNo51I4IW9Gw/fG9zVEgFD/on2puupPUipRNDcAgGVKkAQk1igO0lNcCgoVwBCIvWlURaxftnRCSqsEfyG4OYDLqIO6Ps7N7m960a1s3q[85o9RqD7c5biQoomEIWwaNbmWZr8sQg6DZ0IkBHhDhfy3qVCUUV24GvmyT13f:58GNpPcrbrB:5Ypqsg6hQKkqRzbcmUGZn,QPjxHW+V3O0J0m02k{9NhH2QyidGF4oJ84PwOPTVCXT5ZYef8n6T36N2hGWW183YwJ2WP17L8sAYrDsT813fCLsRsH0BT4aX/E8PAymxKdIsAsMzFTIIqrmqyLB4lCBFC06y0PzygEKu3D5iMgRNv38WcKBgA8LyS8llrCK[AVGdI4/4FE3zC[N9mGHIbQIOkEd2EOZcJLmQMDFdPVr1dD5bAWXENjuntW1Jo,7ptQSdZoGNjV6YD[1[kTG,X2ApkotqPIdnUMD7cBEWRJIIaODvtna:lTWjhrXzStpKJ6wGwFiy8IDLAqPvOYP4NPx4Gt7Yumlt23hqYEz[d4CSujssSNLzKMJ9YjpinzAxxI6b5CWPGrj[X8F0hx/Quh+vHwakiOyOcViCX7FCuYb:JvQz6kUgRRfHyBOjYRAZyjH0cHditHh0a[Qgsgs0O,qKvBFQge3:EY+,VqJFWl4IQ40VdoFeKtxNuoF00LCN8kJbPlPJoneGtmc8u:F5og/0mtJKpzkn7mOrFlE,LvM9YgbsU5O5l3sofZm5xsPzuxOMZEqeRTdV14RNLDcuCjEI8Ju3WchqTXGFYnP8VUR85bquChwQnzJiVN2nUQtDaxFkpfdn/,fLTmcWKYF8/gEP4CNUN1/9fQ8peEIV8vI[IEMpZfII13mYRQzpy2Svh94f3OOs38GZjnnCVzXdDLz5zcAzWLVWN8woujHMX6UBD1SCTfARGVayq2sb5mrESRLP0FeE5il3bqSVghtd7Bqcp9Gk7yUEBVH8tQgSgEIJdGaZ2B26U[5nsigVpr/Rz{BYtGLfKEn7lgMUBTa5cM128JywBEdrVFnWmjLdVtKecdVzJwDCyCEOP1eMNL4x389UV[sNOhVOPICrB9WgLHMjOzqXzyHCQo8UtnSq4e9HFihgIeB5ZPy06iFQJ,Vp1cn5eIFeCBqmm5ovi84S6zwQxtIL3TPS/7cHJlIi1wv9I[dIUDnDK0OcR[ue14H29MyGdqLJt51gW9hBWyd5IcgqTPmRsHqgcNkZHbVDHz8He0LgHdA5fV35bKQFshOrnUZUI0thGjUrme40o", "BullbonyaweeWaitsnugTierDriblibye", "CameValeWauler", "6,626F6T6^6z6", "PathAddExtensionW", "SoldKartAgueiliaRushWauldhal", "|SVWf;", "Ml&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#", "SEh3%", "CellrotoCrudUntohighCols", ".itext", "SHLWAPI.PathRemoveArgsW", "GetCurrentThread", "GetWindowTextLengthW", ">m?s?z?", "%l&#l&#*", "=,=4=D=J=R=g=t=", "PathQuoteSpacesA", "6&6.6A6G6T6i6n6", "OastcabskamiKartDumbInksSomsMass", "5:5B5[5p5v5", ";JTs*", "T$D-2T", "KERNEL32.SetCurrentDirectoryW", "1B1J1P1p1", "333I3u3{3", "151;1Y1_1g1~1", ".L,\\,l,Nw", ";#;);];w;", "@.reloc", "_^[Y]", "PathIsPrefixA", "1(101F1]1c1o1~1", "FociTalcileador", "KERNEL32.GetThreadPriority", "l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#", "5l&#l&#l&#", "PeckQuinFillrillsaw", "l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#l&#", "?=?C?L?e?k?", "Dymt9Q", "Nh(mB", "= =(=R=u=z=", "202F2M2h2m2{2", "QSVW#", "HoggSoonLasstwaeNapeCeilBawlscopdub", "616Y6_6g6", "KERNEL32.OpenSemaphoreW", "IsCharSpaceA", "l&#l&#l&#l&#", "5%5,5<5A5]5y5", "efj4xot2vZRJjEoRX3B+YvXqQEy6b+EnMWjwqYmyi30fpwN5FIHcBodWlxIBHd:MDGIIURyrGQ", "sa<`N", "RidsFineZingMickMomsdue", "SetLastErrorEx", "l&#l&#l&#l&#l&#", "!)!+f", ":\":-:>:D:M:[:b:", "`a'3w", "WainMeekPinyWonkpooflaudsir", "8 8:8Y8^8f8", "+l&#l&#l&#", "GlobalAddAtomA", "USER32.GetUpdateRgn", "Haesourfe", "KERNEL32.dll", ")0/0E0K0U0", ">!>&>.>E>V>w>", "l&#l&#l&#l&#l&#l&#l&#l&#", "?!?N?b?l?x?", "USER32.GetMonitorInfoW", "XARKxql2kYbPlw9gch:cQA2jE3v6dg7WE3z3yCz0vSJq6w8dhWhfiRww,u5vmpLDHbjcynGRTiv", "Dy_HK", "Nl&#l&#", "1ul&#", "?,?8?=?K?`?n?u?", "7%7*737B7U7o7w7", "GetCapture", "l&#l&#l&#l&#l&#", "vS+WLO0QvIJzAifMhNhb+[ysF2PieT20ULF5NeIMm:r{8taxv78BJvhjK[mNBnfCY5ImlSLMu:LxFskhQvEJzodTihYjz5sdT6pkm6gKsutTUqeunNOy7Zs0nTWQ205PqUzqk[p1K54nM2SKIw99spKzdQCThsVki7H8E6r,HiNWu6UzFtg2fqq2FD0OpofFZ03zmz8UibGJTHXo0zfQqy0NLqI69snp3JFNQk2roF3tj6zbQhlW/FdWbBy4IBcSm71phOJ:7d2M/8qS89Moj83L4gDGxO/4N63DohxbbOMZPLlbyQVJz6jIcwh44sSBH5RYibc4qudToiatGEkeASVQu,97MK/s6VBM8Gy37jfVR5LMdesLW2I6OsIY2HG8xnsHOTtJdqJwP8Q1H7NPi,SZUjN8BxkU2oCncEuUxiFCIu2,nqQ4jzyCZzS2kqgOur2SCbwkqlQcOqPz37Kxohc{wniyBpSOcppcKHTvYiWYX6emwqITkSg0iUQ9q3vz/7hqHN429YsRz8ycATbxR7pDENyJvUpy18muH5DIZCV3oPAxJEz{qi6,8QSDLrxlj,xTU[C[HKwe9RoOARGdd2lBn,pmsGp3n7RBg1bQFzrBB01SJ0WzzHIi6JJvk1Kq3HGzQz7:7[sRufZEtR8czw8ndopfN0f1gNNvH2XMZuSqns10CLxeWHXQg3eKDyoQsszPiWP8ZIhg4Y+nwH0ZQgdz4YrfwUrSXOCVifhklQWU9Kcm8N+Uqq4vq[rqQf3[n0y8Z77bAwn4XMnmZH3sAo+5Ov8hQbf8mNa6MmD9yOP5nKq[8c3r3w1FiNjJ20BgDTpCTI3pScXsIX49kfUP+MZCy5d2VO8Irmr3dNwNFi6iW{bzV5JFXkEZpmmUob2:S0MyO6uV1C0W/hBhBMKj+JDpm7N4bCBws{LKwRw2cER7O2oE1t29DoP0+5ad0KbsAeQTWiE:JMUGeIOcaT4IFHchxGcQwCi1RhKRWbtHD5rqlK8eSORGf[gwklpsW94cDzUqBHHxwmV954c1TI/:fRpxhQw,tDALzgKM0mM{qx9njnR2g0DOIYF45mJFTNCrh5X1rCsSJ50kwL4zaGrszwjZiFFRGu1SodEDzTO4jGfyPI/CA,m21Sion9hyBBVB15zBAK1qTj6BL[2gGvTGJtsl5HB67k/pJNmHfqoBwMM9JH1NNQ6:i5xoAhjuJXnB6l6ooRw{OR9ON8WF8wWlpI06azho/6H[BSvE87+zKL2Hg,2qs1bOWzcU4cg2h49wLiXyEQebGWiX/n1Ow{ZXXRHLlV6c4[VtfL8T0ORuMEdrXtFsPkOQc{e7YTm6jmafH1qUcmT3/h/:17AhTsaspkfWsnoTzj1fuhaEIR16H0TGmU7{/Db:dQTZgdrPN8AxB0L,qgMwnkni04P7DhnBXIZPvbqmykapYttrywtOJfMEOTE7cwGedDdVgLDhYfkN2WAdlyTo+CbFm5oPyU9IGXlrrg7lh[McIrwpcghEgLtc88YRnxWfZX7E4NEd51WIfxP71yR:VZFeaCSmDJHL2buBCkawk,2e+1rfQQfbspJYa2aoq4JhFyTO/JOvwuR9vjBeRkIB4EdVtjWMc3mE+W5{gsNRBIe5IjVMa45MGbgV3UWM9XQpphQLz4KkMo/cHZP7I0p3yiDMDBgxtekZysrB0DhzdMq6foSvrG7[R6ue9pjkD3KLq9zXgyDpQn8T44KB4PJumij9f3gRJVnV6ldeQS5fq9ZKv{Vpoq6yZdSof15e+E1XvCivaZt5259RRc0vp{Y,yRDqFViJu[otJe6rD77oJ4N,uNYbibsRGcHp/CRl91rLSkTSjB8EZuSRJhv2eHavWlEks,knGJwlwvDecScoFDxQP[bSV5T1ocO,0nZ4nVQtt[7MDU5Oj1cBjl+FwtVCDVshBHwWqg4:nk5EThIiKuHOT2He8{Ik7tYgbvV8OKIrWMvCVFr:bFqPk{cTnt5CBgfxt6TgX5iWxzqzwbgtJn5YQuzXKouruScQXrSwSfvv5Fe3+k/iLHcvGhiJTqtGiSFRJ8gUZc8E043fFbc5p9LkoklX31mhO2woaQfb10QG2uDUCdg[TYT3veV9RxBWCy8ZPtSKYrA{Y3ay8NX7RisqJv4zCnI:HrTrxudqrB297jezcl6nmg3wd:+3f{dmp3YzXW9z+ka9IDxpNHwIzIC13r91vFe83NCbNsJXau8uYiU33PLgVngeyuC[4Ght2nQ{j1jHW1deM7N4XiQLvt1pk:QTpDSo7vehy8EI4JUZzOreAc6NzBXuVe+:ilZsY2q:0WCzX3CToCnidPRDVGTjJWrig8n0A9yht8mOqJ3LgHB3KKiZ7CAkq[a[CWvxjL/paZmdAEYnDZdSCS0lnrDqyyXDZbw[PhtnB29zA:y9JuDj4Z6OPOE[Mr/2TrG04P3xv8cTgX+1FNqzW0J[Kqsx4DPf8qQDacMVTXxrsx1B4[Onwi7RvyqKKmKiVDtKZUOGFFD6u2v6lPHJY[zDwzcNl4Qu7jk9a,pPA3kr5xPwVIHSHZRhKrsTR6xTButXfKnXedUDj,DN9QGV1GqlnwhDA{fDCxlljfQrkiwR13dJnW64+:HXslQHFw/ptyIp9cy,bypqo:c12t8v44B,dh99JBT[XKAqLoji/jDWFks6UYtcT:CxgPzV6F/Eq3nt2{/0KRQkqn2gjk9H8O3TmzFW8vTgWSXeJQAIhN8gCX1GvfHykH8xDQeZ/Ok{hlf9qfrV2NavD:DH5bwFgqQ,I3eCgESHoKCGxBQD0EuVhRtQq8MFIsd3gGIX/6BrJeILOMH2xUX1tPfB9,MVkW4w/{FNnCEb4mJj+dO{REzFsjlilyByKnLs+Fbv+12p6HUzj6MQ0YGSt90Je4WHyJ4:ijrlwxK4FS81nbzD/85p9nj,43vpb83KcKFKi4B5P6Vkwk6qOdvXJP4,M,as3{IJBXOLeW19lhhT9WrdeKeIlLeb9:WVYVWUx81ddhTVOmo6inPKTmY4muz[yN7yjGDhH33p3iS[KhejgeZkSrsdMkG{LSRCRdgCWg/va67sd9rU8tn5g7FCdRwhnjJbfQNGjQ5vWHHIHHBxkgU2ldJwXxB7ZSARn:Tp2{syu1UNBw/5SO5w2NkCyOCPT8zzAnOmukzsHcgiuMLUvHdT0llGSih57tPVjt3HqhhLimnmWseHAqdjxEO90YHl0uUftWv53oN[KgsOu9CLxFmfA4e4lby7WU3Ka4Zq0Cj4IdU0FCyyN5eq4bIfvz4PQ2d9GjsRH3y8oi+vi7LbxJ+5CLHGKdzPSP6,k9BFksHtj9F{wffnBzt{pOq2Tixyn,c6CM89le2TgomTDr2,8I7ZP5WT4DEZ+Di[KlgKbyKoApk57tb[4VAPrRZpTnNI1CTzqCnlWEGGacOYr0HwzlbHJmgqqS/X/m/8oYkz7VRWCNJxEOa{Bw9V/JqkRo4Y2mbzMWJjh{dq6T0BFMiMJIZB4uiM1U7[eNDFuzz[FH72xX5{55kBbWhmq6fmWMzVolkpSKFwQRC6f6ODgY4Y3lEvkmXnlRhhkpKykHAZe2LPnK8lKPThmyjWMp/UT3a7kU6ynnuovH6OUi6x7Efzq1HmcfKL3CnqRT8OFrPEtOpHiDvrqIS{GsKCMmFiQbscw9pqnKFPe:Mty6oBirIo7fmZtRddoKPZC5a:ATa9c[PzYXSEXK+PhECmgcR[u:7T4G6c0WerV9TJ0FW1z7mrIHSdyFziNq+weKeFPsyWdT7OrSkutznE4IPQoHoTNu+w7G4GnfTOwfWsxtwgj{WzPmlF7On17n8zjoZ[1pV0A:8VTOgmI[t7Q:ZZ8rIfYIh136SRqQVtH9Wf0r0:aBYCU3IIk6c{MYNn75eQjBblxj+[dMX3Yrk:rD3HOwav5pe2B0uTyInY30F:Hm1Ivz62J,KRVyP5vTcb79WlIGJzh1P7dHFR8fAtH,umy53eiNiFymDMMbz5RW/n7vgC5OeyxbrsqeTHZPhiEkKJLT+6qp3LXLcQ1EHFhPDwctzyHVt8Cdjxeih9n1Iz6jUTXPkDsgvmrKkd8CR:+W6Z0tzWFeG2v5EUjBHzxKuyOOZl7JXJ1Ou6f3AKb8GDeYvnN5AO8LL3OVEBbgXnUqUjhTRYotK{k2mCuLZm7ByV8k5uyPJRULRuzQnYDiXdMpSM0[EH7Z6F+EqhPYUwVthreM/T8vZS8G6Vzc8Ue98JzKm,4G0,94pp0:N7S2xKNysVLrJf440l+2MM7:lm/zxXWNk7bxz6MM6ZuXu,XI+1yIV,lOifbil03Wr,42GnSWC2rLkYMu+ttZ/5VPhZpxXlDxMeZEhMWgGUtr7p/2yZ/WdFQN5kYT05lc8EJcaMblhcqWaQ6Se8R2Jv7Uv{/u9QVQPrpFYlujMDykhmOSEvQkHRNEhRL,0La[VnRs63dWb2o[PIb7OHWSlmdXar/czB5Er9Xf0ONcBqsFvNNf/cl3u[npJuKN3LVVEMo4580x+E2y0lSGyJxoM2F,5ymMC026Qwu9rOJs+oiBb:AcvIQMGDerowIxikD0MqJdF286DRnUc0bmTKGbzkcNhx2q7T8LscMPe54pSBi3i0WCJQizVSAV8VgpI14QHSZsGPykeS7LxsDP85QnHlWtv9dP/yGzsDEXqeHg+RbKRCEv7TLiIhPIF[XNYk2z1wd11NCR4UmekuOPRZx449uJMUDQ6gVk3D3U3vGvTSGihjVQTSUmQo/0zw6voOeMbMOpoie7K9MZWmMpgtge2dRd0fQs4mnwAQlX6Hp8yKOeeGdIA2TwhKlpg3QLEid1QmAl217mO78Mf5SsRRhDWvy3BzVceiluEvQrP{aGaJTRXezVl736zytC1CZ[NCJZq5coCZboV57c+UJUZyqQB,xqqTVRHgjN43Py3X+GI4947D5faOawsqbMQcsmy4TU/kYp64e[EvhV4sbVSE5GgslRz518vV3Lr8m3unyQKd1UHckHp{ZDs{jFB76Rg1e[g3SJv{FryUpxlZf[SJHFzJ1liM+qS9YkmmrdLQhE8X54m8ELVMjF2b0OQYvQn9fD4Um0oJmkf4x9LCzUgy81BLupQDnzCN2H/N+nsg49Qm2hP1bUJ7GeW[2JVqmWJzye4kf3mOT,936fjoH,zP5OszBfzVVRkDiPB0Fc4Cu:i8TYDIYyF7Exw[MMTXVPc{UUB,ynHgeNRTi6uHCw8yrBGECdB,1zA[80uIPqJpV{m3SUmOe6o60rrWQU9bx2cLf:Yi0MJQ0WYJRZb[kBaXLCErQI69B:V6o[lnYirid3NxCGlbVrLRnBiTgEFwPqW83qd,t,wmFsI8o1dY8Pvc0xm2G9AVvzy2fEEJfsiZcWj,rbPrdps55L4SLcqufDcrFqb,lyTJR3azddeID1GKCLRllwgXnmnIR0ejREXL9DuNMrCTvPdRZEoxdd+DxS7JVCR1uEoGLbO2l1Qv1ZouXZD4i3ztEe9xvNGnvq7NwxJWQYe1ubo1UXejx4e9QVfmPchm5rYRMSCNH[7BelkGpX0bdFT7W9qKIvpzycH04csMzm9jaeRIvcncvO6ulz38AmkKnNzxBQVBd,J9YOTkC2+fkj0rJHbF6dr0O:DYvvXxtl8EeNitdZlnEbWy4DNgaxDfWfCLqkJTQEc,jcemmcInX0ci3BBxiB16XVqU6yBYQUub0,4GeV6ikuj9GMJjRlvJDMVmpkCRmu/4j0YMT6S6d50sy,j1ZNrpLuNF05owPePxgsrwaJLDf2+98fQKdsS2gwBvrLorQkiknYWOUW19MmX2kw10KQoba85TE,1hFQGCSoNY0Ghbi[r5aM5zz2i3os4[fKQJ/EyO8kFc4FQldtIyDxe00Rbqs1dWJyM3ZRl7PPZCFcenk2LD6VQONOQC/Bfy+ynCE:FHTb0fOhi3GhD7ruxgVMh0dZrwr,N7MzN[i7K31USqy925mWXlw95L9p2Z5Po[0SRj6bh{4DrDfvLLspZ,LObgl{6uGD/cJ6pHl4I6cxJzOeeniK1flqAOgg7tuUmZJgH6JisgNuJibC/r6uQ4o522Dce7u9iZG[txkCpmbdM9cZEQyHuDuTRxFPy{I{THQxn8rB45HW6xzgE63bii04g0M5iQ5gyV1Bni9setCJ1tCNIWNLhOexKM/DO1sr+gUy7sjiK1sGH2/1QdtKcW1cUVpECVgbRFVBwctiy6CKA6YPg75OT4vTzu19E21oHhe99HBMKqyh+qs83vLKrRmT0h64jkI:5Cz1POQVmo8NUJsXmZ5wpDc[FQ8VAwzNg1b1jX3p36eMRpfSHZXj84hERbt07MuX4,oUk0m4YpT7zh6dLMewcYd2VFEWWJt7F6oneT+2gwwsBsywmPdtdK0DOCu:EZ0cPChY8X1c7yVoXUENQ5JgRpv1ftndKL+gfDHUjkFk8ct,7NoKiRt{/G9g75qMgIp{mlm0ocOCizWcT8kD6UKK2hUwdxFPsKJsPTjtgQsLpsLl9MwxGMs7DMhRcebI2ys:3ZGfEINh/CNqdUftluGqZe07fL6qgtaqZzkJHWjoRD7KqSjoSMIod{XViHVpHdz1g2q15KbQsqhuzXIvy31,22Fshmzko:JOXBb2y,2xAFTZ13nUQb1YtLMum6ePgwOZG0s1QGk3nx5wXnsqQwJeOn4xzlZNasHUM4T3xXTvYQA9yzCJr", "GeneAilshe", "7'7I7X7", "=!=4=:=?=n=w=", "2)2/2F2U2q2|2", "SungActaKopsMaarposyparefuzedeck", "5#555<5V5", "7/7o7w7}7", "<3<<5M5W5", ":2;3w", "=/=Q=Y=_=e=w=|=", "BhfDF/NFDuDKUA,0KfZJcXUiqWKoXWXfgFKt{CDVkm0ukZktnwKJTaQaGssZy8x3iOJqsfEJIPYMYBClB4JnSVoBrf3A6GY4Vg:yQsSwlp5nYYn6Xi1j3OQiHS6b090RtXRqWM2pXT9pZNJTNyrx8JiGsTHvZOfkjlOnBEqsRO556W4tGfwCOC,Sllqng00h5aChqf{+XeYESoMCtFRumO8ASHGbWnNg[4plVF2J{5oCYcV5ebQQ35kEqziKpdMoGeiidSFcWX3B4MfH:ZXy7Qd5Xpn4tNEyRPt/vPMVITGqdV:zJpPUpMFZRZRSl1igmd8kqg9x6FbBcSmGdA1Hxgcz4jpcsNOqXvVQtAvtSn3ophMRe8VOUquuUM[Q22BKYABj62i+0JgXdsKJc76EVUgeBhlaed[o8wv71cGUxZUbgBT6J8BoQaFNGNJgb8ZwrD9BHwbI0ZqjM1gdsskSUonDTU,TYdB45UOlfloIUw[Nd7{Ek/v4nfk/4Wl5gXVNm59CqjDsMuyzyW[fBABH6Wi7:QW+eHLw12z79ZF0K2g8EBLZl5CvRrSHFRQNgTF9,K5Hghec5S{JO/5DUSbGQfSBbWMu0oDX:vF0ipLoVkHFvyGMDQY2sNpuBOcsBTxNbC:DR8T5u7XsgHHDjmXXQ2u4G+LKJzmi5og/1M1d0ho+Ut64Y7j2UWpps9sG,ZrVsjmz2vRuYlrQt7dqrsLWrudyNrCQyLKOXqM1zCnqw70+[rfhzinMr961HPiezamwQz{b4Cnet4LVIxHp3JEkV7gv5yYCLbSxuql65JXqPuJH4OVF,QHSVGWr9XrFD7Imu7yb:UyX6EdzDUOq,CdzK/PE4AxtC/I4[rc5[DhI[VysV0vBuR9DWeMLd05D3QKQ94U8tTKAVwI3cx0Kj/oXSRQh4O7OZ3sfU9wwB3cqoP9Nnk9iVVtRiOBkQIEcvklFNBpaXMWffsf9hcZC62iveR0+:tM8owm/Fq:aLG7DM7K4RQg1O/JCGhDuq0Xs6THgkqHDO6cP5yXVdkFd1TM6m3h0N21ToFTGSv0GTwF0kV2Ku/N0Zu9bCERBMIsZvMiLnWBnljCcIOzHuwkLhVTDR3o/gE,wMcWiIbLFgoH3poR3Qr3USK,dMqHvewRg:g08UJxXJjuqvA:MvBE1p3GLkH0VMDc0,rVXv70leHV4lV67LAF1Ef5xmDHAx7pdrkcVcpc9UFrdJdNXuDhG1ofkplsoj0Y0FrYapR4oWb:gT3CCGer91aeVQ3YbZ/f4su40Szyk5K2/iYtOrXpouFRP60QQSWgpqV8EVCrQXLgkRZeUhX{9JYXoM/U8KpjM8O[BDi5muflH3WNQdrw2hxkzpPr95MTZWEXfPR73ve8ipGvinDykC/Kttlfesa226fMB31SRc2bdfYmOyK:z83vEhUjymQEk4+99bIxi6dzCxvNHhSRsr8leOylhMZz4vCKN2QpwvBhB39CYzuuholg/4jEwDB37Q65GN5p/ifF5Mf2deKL0NK0eHXty1vpE9VE0f25/W34qOjiSI3yegnjzsGhXV55C[dIKTLdRIEhbczN7F1[A:L5cSemIFl:D{FtSSRLk:td8i0MS97{RDZCowTO8,hySPYhbzTMO2QSIn89ghcCe{OUWd0cYOaZhYhuXjl:b0rKaittxopu6m86LggnL8JF5R370tG4YkfVwquXLolP00DDTjAdkwfs5zHppPPyeVtCzfH3MMXJ8LO8R3oTz5GHmpgioKZu20O{11RGV[dvAHPMHIj[MpYKNsbWv9QMM5bYzLpPUc7bgPsJklp2v,aSjC1RBsUSTFOBR51fZ0XdVhhOUyb{3My9/sY6lz9ILUEdhXgC3lt7H52hPrVkOoz6XxltrjRksi46t6fGFWjS6eB,Mi4JIcp,j4Z[wUin48t9pZY9Tn5NJ[4kI1z8Wm0to5WCyqylMIJXa8J6WcleEUl88eMTI{0PH6GsNLwYiNgepq0VNqlnSZhqJOFrorPZp2hzfpo,2YKMSnlUFBmQmb5iVrWQYfq6B5vgzL/uV428+mOK6Uj4ym0k6I1VMwIrlIOOgH3QxTF2InatsshVxKr4WLbZ4heq+BJDwYL4BWEIeDQ0GN74v,HRcubq7ldWh1Z3lztiR[UbcVrnscCwC6YCCoSoNSfV2cBxLi1br1nVyiUXII0OhOE7MeU,qFcxtTnGGVBdVICGoi6SD10u/KQ1Q4CJfUoUYFCkabQSB7W4aMcCy2kkCIf[vZoPWiQrb8ZgGCMxQ{QYprHki86W7euU6WlJi:kSEJngEG5ZDUwRT3CfAojkrm2YCqIxB7dO9XoVN:vsGQq4vL1ILXbKh17o66wraYtk7I9JIfVgH{FcNOl:Ks26W2E0KMqFYK13cC3GJkc29izB4I+{Zsbws:aGx0o43jngHpRFgRW{jshztsvlHO8LMv4Oq3JV0XUIGBh2wrLSuJQuQz0mmKRfa5LuYbOpp[OgoDxH9,UXGM8lJ7uEGo39sRh4OdxoLCiksI7Qr0oB1DLJ9gtKvtTFXLhudnj7QsRO+mwvtmMPdwll5ytpeGQ{05zo7O+oDlDBMmSg6e3S3Ye{idK:WFK6OxsjLppHI9QSCXckWoyXdVu4Oyie0BD,hEz2j4z0toGlkPUYinFVFCad/[7KcjsHXelESxa7EzSngfbq0vG4q7jd3rqPCVfnYQjYXI6S+p2I+yXCbICd2itoV659KZTxJPGcU,KHj8BVWNNDPH9qXKBX/dsoefwVubi2q9AmL3Cceg2izFtmd2HZZqUozj1zWRVkQXhqCXd1g,NHCscHLhu,4evBG9gTy{8vme+p6sE:Pmu0iCv3/f87Q[nOv,uMyER6j:ONHHBlCyfctdzDHrLxIYxWZN5kR1ypZjfx7wN[2sCiQ6gygT/9lXGhzbi0/uyuDeP1FRkydNE:2IZQ5EFNR8vEuinOU[ycEZPnAJVoSFl6OVW{Z6BTbyBrOfLo7Jb13ke,tP1MMws3WyvK+FZWo46Hivd{cIG7iH8FlFeDKuQ[EkYtQF2NTELJL,p1KCvvDxz78ILkFMj98gl92h3faBwGYSV1K7/6n:GQCmJpUhjz9h6ik6qV0YdJSqWMtRxdeqzZXHT19933OHwZH{P,qZ/2xBIVWLOnJGaSFnQeozAgne6UPIpijddnkZaoq:qN08wsxUoVo[F8SeJOI86pXZmmQPST4ZrwTrGcUNJ06P2K+ZsfR{s04PTF6uq96N6su7doSKTRSJlZOpJjjKEYubnr1vYrPYT[GFf{sYilRjKn9xRrYRz5DXO65t3iz4MOMzgkJ9VTJCcj7QBQBdYZ2NFJ9PKJHLumfylDoWBZjcfp1mXVbvisHucS/{lMCX/17SFJ1JFTwxoHi5jCw,Jjymf5JxF10eMPl0FtUNu6p,ZjL4MqioG,eLUZT65MOqyPZURVyidg8JUYhE/:aZ0M+gwqojRJ/P5bglXOS4wBJUEgNlVBIoz0GkXnVQ0RedyDyj5:OrOZQ77ytZ9D6xeQq1rPqXkWKTYTT0zed{t8oz7GEfRQtcR[chQzS[/xTuR3j:rmXLoMNii6y4Y1kr9zm:/NOBC8MjkR3DmZ0eVy+EYzJRA1UFu0zztGG4ZR1ofr73oxfEk9f8pJNHYo3rDMbQ1CI{JrWnGGYyS3RR6rJLzFe0f{pTxr7Y02mmfjE[yS04SJcxv:pxwEPcP3aCxlcMHXsGAFhsN4xitzW7BX+:7wx4T4Lve6SNUbLKhHkDgbAEGDSZbsqcip84Rtb{dyzqYhp1jnk8ATNWcJ32PGYZ3bzdmjDYaVbzD{Lnzhhi1o24jY4WLLuym,JG75l0U5v6tugFiiX9Dob2n[xqMy5yX{A3d,fGFV1oXcyMoV+ZXdj2928Cfo6Z77CuZqtqrbw9USwQL4TtYXDWlYexmR573HspVCTs2FoMPCZ4cgjS0HAhXIVWFqzjIt54MgFGQMUo8gBstffMsoh4X4KXMSIDtTL4FbL:tmMvWrwkjS5oxp2J0sVUsTVGT1+ShYOlvLUbtEUL9JOezwF6Nbm4eyYIim8EprsP4y/WiXTl6Okk1wDqoek7/40DbGT5Yps2HLb7vWO2TRfXEfbotU88ybxzoC81K22[FQY,RFfjs36XPF64F[clXHdEnFtUv9RDmN6DSrd4zyc5ZUEo963lKc3VQl5hJBiMs5W1ekpKYK4su69zfyZYdKNnJ42Mt9V[kXRLs2bwXjj:K14bYbL65VF5QQhdZ{K5RpV1XlVEsgS36bIISwFRh4F3RHTQO43rk5mdpi+[qdDF/VzTO{PoSzloY77XoQ19TojtLlEmVr6HbVgzMGULlFALuc0b36hqlsZsC:5YLvp,UF5Cuss{i9kXtDdYkpX5CWWOdO6V+JyOKLAEAv4NY2/BbQPkYYPCJuk8t,clqz+Cx[IzkGHM/5Jf7qA[R7fdkmak9Jw:cNFLnmK[oikwgrAu3NfdMuWJ3vo7g9b0OhQ0wL+DRgdIPJhSTcUTZW3ma3PjL69TAzoUMTiwYyeNnWvjOzt5I7OJHvHG79r:8wb5fjjT9{Bum{vHgTD9OiBcxxXHm5TGi5l1d{kdq9vN3OW4a9kR0CABGCX8ljwTX[DkxzbCkPnP91dSmjFusISmyh+jKcyHDHKgmjteFCCqfewyu{mJOxMxYc3mOnXR1SbG4mWqFEszDnfF0:X91jrvnGaG5xB,l{pcH7PdPZK,oe3Dq9fIaqXqSyih+bnoJxSkhIGqI9ODyFilKTaKXRYiLibTmTw,yel1kHaw9dq:/Wu{bMVo8s3n6cA:xIenCE76wjU,+CQmFRT8ciqjEBvhF34cGBCjX:S,p85Lgf07yjUHbi9Ch0XiBdxoLPHV+cDP/bOwm[uzWHWSUknhs[NYauCOktsDR{EwXdsny9dn2xsnWcrsJbd:dO5ZYl+tZuexpuhDekGLkQaBGx8QwibdAnXcPeFRxOO,8EkUjPZJafAotTig9ObprCDV93wo3WVpajf[PUSGgNUYq4GwxRl1l8YEkLd38LobL8AMEu14zrvC3HEHBLPzYi70iN7eo5sgSCKlAhKs+O36Dpm3tlxDcuLXd:Hp5nIv9PSGdjQt3L3DclUt2wxZ18/p5bG0Y1cxDnAQxjgl1tay5K+cbQQtj4q7F6RRF2y4pvuWZBXPePKz9euZ5phE1l5:ZnDHVzesw9JTd3EsLf4QlVxPuQmPRt+8FmzdWF+NGwhnNXVtFGHyefq[5SMMLWFWXhCXoVNCIR/8ZMvvaUkNHN3eefYndNrs0XApeerI+isCVRnsxti3Hyz9mbgS89pWnnfdKP1bmEXedv7fM95cCYWyF72FDf5BxOosqX4vCn/7RyQrxIfzJ7iQVEZ{3i+sRm7wQ3h:/2rx9EmYJfZR6SjnIsxdBudDPLQtmSHDiezHaR2jTc691LGMpdAOywh2qQB51T1,lJ448{UukQ9vbGOB1MdD98i4KVWN2eVfU,t{Zw4ByfQESLdUkzj1oUD3AVBUZQVow:PFgYUQWNIOsT/xph2hTUi1hVVy93j8JVeqcOymypQI9S4fPGRNB6I6OXOo8zAfkEJ3LcOBVECF7xdVV6pUmqnje1WF1uw:CSWeXG4OIs1ZjPs8W09ka:/jlG2htKHczO/LallfFmq8YK0UfUUn5LqPidSsiGErYVJSNM0lFGeLvH7uMBC3PY7[gCrDZ5wKUFTgqj1cRoGHISQoltEDl9npVz9DWKMn32C[UtPMXUesIMqy242ycVXUzSYkmXNJWnIU5Myik2q0bEJTG28DR935p14CT3ZBnVP{TUAQh4A9BbzvyQudyBXDGLTnY9o9ilK7IURIs2ug4jFV3F/D6wH{OpP8y4vDb[I[0GGyb[CpWNOTlg/Pw33ZT{Q7bDZMtEOKIcqxYLPixog9zvZLnyCEbh8{YynG1tX4H,6idYQxNk2[zFb81vAIA9XZyyHXhn2VSjj[Wt0Qf32DUFDY0iLEvfnlQf+X0LN:L2d3SFZB7CKJ41z8rjRN9Iue/rNneFbC+fAJ2r21aX5VgwIQxdGsIPAd40ihGXz2O{nbLn6{S3HeWkvYkXnX8qZqJod2sdkORF7MUOL95r+WUgBsnU5xKZMnwpexcyQlQfzjttNCJ46vR99d0pox8nLSDi7bL6YQhG2:bo5kvb0Cxg6tJmD7Ftx:N07rLZn6YfIZNlhrk{G9bdr4PZt:pZib/82ohG8dj41ZcZAbfQ9WFCa[K2VpPMofNRHGtOGgw3G211vBz2+Kbix,w4R2gXHuwLZ19TmXsQb3YpZ5Wp3,mNRsaD+xMupwKW4lv:cB6eE[VhSUEN4OGtg1Tk4ecgaxY{vVBu3BIgOf4xNfstzuO8OQBgff0x9MH{36PSCr3kP10,xGRrvxPKt,fz/UBRnYw0wSfBtZ4:kjt{W7D3rTz0tLQ:NIZT88GkyXu7X6C65Bg{SWP40J6T78SbI64R6vHraOdpWPVjBuCvZ7kzomoMjyJ,Bg8sP3Bw/KEfgvczYocu2eo,ecgxg97Hc[5ktOF4LLg{fjfmeVFzQvRH4UIHju+UdE1MWqWir5lNRq7fKZH0Wzd,i5mKFveJ1h/pC6rma4+N0K+H80/GjSjINkQqQovwPHNN9VAPSVIWUj+PY18oFwpycIvG5OPW4{BmuLSchRs8siWEYQ8YBnCYz6gwM,uYOfW[LmOBw02pJ", "SiretomsbritGrewIckyNapaLumsBoaren", "85+IZrM4lXHU4HObuTGHaOAzaZA[w1b8g0FcaXI9HRuGp,tuo{who0BHGIlNQNRk6n2[ON0Ia8p7etGiUY", "GetDriveTypeA", "D$dm*", "DenyLubeDunssawsOresvarut", "l&#l&#GP", "l&#l&#l&#l&#l&#l&#l&#l&#l&#v", "797A7F7K7Q7n7s7{7", "?OilspocoShopGlutNapeTyroapedfiscjo@@YGGXZ", "?%?9???V?]?e?", "484S4Y4t4y4", "FindNextFileA", "9$949|9", "GetCompressedFileSizeA", "yO?^:,z" ], "virustotal": { "error": true, "msg": "Unable to complete connection to VirusTotal. Status code: 429" }, "executed_tools": [ "msi_extract", "overlay", "kixtart_extract", "vbe_extract", "batch_extract", "UnAutoIt_extract", "UPX_unpack", "RarSFX_extract", "Inno_extract", "SevenZip_unpack", "de4dot_deobfuscate", "eziriz_deobfuscate", "office_one" ], "cape_type_code": 8, "cape_type": "Unpacked PE Image: 32-bit executable", "process_path": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe", "process_name": "invoice_231836298371.exe", "module_path": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe", "pid": 3236, "virtual_address": "0x03A20000" } ], "configs": [] }, "info": { "version": "2.5", "started": "2026-06-29 15:14:41", "ended": "2026-06-29 15:18:29", "duration": 228, "id": 95, "category": "file", "custom": "", "machine": { "id": 95, "status": "stopping", "name": "win10", "label": "win10", "platform": "windows", "manager": "KVM", "started_on": "2026-06-29 15:14:41", "shutdown_on": "2026-06-29 15:18:28" }, "package": "exe", "timeout": true, "tlp": null, "parent_sample": null, "options": { "vnc_port": "5900" }, "source_url": null, "route": "internet", "user_id": 0, "CAPE_current_commit": "394455c2cd85889fb0782bfcf1f8c5c2f7f77b46" }, "behavior": { "processes": [ { "process_id": 3236, "process_name": "invoice_231836298371.exe", "parent_id": 2892, "module_path": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe", "first_seen": "2026-06-29 22:14:56,875", "calls": [ { "timestamp": "2026-06-29 22:14:57,062", "thread_id": "5028", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 0 }, { "timestamp": "2026-06-29 22:14:57,062", "thread_id": "5028", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-06-29 22:14:57,062", "thread_id": "4444", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2 }, { "timestamp": "2026-06-29 22:14:57,062", "thread_id": "4444", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-06-29 22:14:57,062", "thread_id": "4564", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4 }, { "timestamp": "2026-06-29 22:14:57,062", "thread_id": "4564", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-06-29 22:14:57,062", "thread_id": "4156", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 6 }, { "timestamp": "2026-06-29 22:14:57,062", "thread_id": "4156", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-06-29 22:14:57,062", "thread_id": "4296", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8 }, { "timestamp": "2026-06-29 22:14:57,062", "thread_id": "4296", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xee\\x7f\\x1c\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000268" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000268" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "ValueName", "value": "000603xx" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "kernel32.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x75130000" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "SortGetHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7514e880" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "SortCloseHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x751497e0" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000268" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\SortDefault.nls" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000264" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04990000" }, { "name": "SectionOffset", "value": "0x0019fa74" }, { "name": "ViewSize", "value": "0x00338000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000268" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-06-29 22:14:57,093", "thread_id": "5028", "caller": "0x0040a56a", "parentcaller": "0x00000000", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000268" }, { "name": "ValueName", "value": "en" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-06-29 22:14:57,203", "thread_id": "5028", "caller": "0x00403a2c", "parentcaller": "0x00405703", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0067f000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-06-29 22:14:57,468", "thread_id": "5028", "caller": "0x00407109", "parentcaller": "0x0040733c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00434000" }, { "name": "ModuleName", "value": "invoice_231836298371.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00005000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-06-29 22:14:58,609", "thread_id": "5028", "caller": "0x00407109", "parentcaller": "0x004350f6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x03a20000" }, { "name": "RegionSize", "value": "0x00041000" }, { "name": "Protection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-06-29 22:14:58,875", "thread_id": "5028", "caller": "0x00407109", "parentcaller": "0x00435167", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x03a20000" }, { "name": "NumberOfBytesProtected", "value": "0x00041000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-06-29 22:14:58,875", "thread_id": "5028", "caller": "0x004022da", "parentcaller": "0x004067d9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0067f000" }, { "name": "RegionSize", "value": "0x0003b000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-06-29 22:14:59,140", "thread_id": "5028", "caller": "0x00407109", "parentcaller": "0x004353cd", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00400000" }, { "name": "ModuleName", "value": "invoice_231836298371.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00041000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-06-29 22:14:59,156", "thread_id": "5028", "caller": "0x03a5447c", "parentcaller": "0x03a55c77", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00439000" }, { "name": "ModuleName", "value": "invoice_231836298371.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00006000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-06-29 22:14:59,156", "thread_id": "5028", "caller": "0x03a545ee", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae100" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-06-29 22:14:59,156", "thread_id": "5028", "caller": "0x03a54616", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae0e0" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-06-29 22:14:59,156", "thread_id": "5028", "caller": "0x03a5463e", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharLowerA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae140" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-06-29 22:14:59,156", "thread_id": "5028", "caller": "0x03a54699", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "lstrcmpiA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7514e800" } ], "repeated": 31, "id": 39 }, { "timestamp": "2026-06-29 22:14:59,156", "thread_id": "5028", "caller": "0x03a545ee", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae100" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-06-29 22:14:59,156", "thread_id": "5028", "caller": "0x03a54616", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae0e0" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-06-29 22:14:59,156", "thread_id": "5028", "caller": "0x03a5463e", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharLowerA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae140" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-06-29 22:14:59,156", "thread_id": "5028", "caller": "0x03a54699", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "lstrcmpiA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7514e800" } ], "repeated": 31, "id": 43 }, { "timestamp": "2026-06-29 22:14:59,156", "thread_id": "5028", "caller": "0x03a545ee", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae100" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-06-29 22:14:59,156", "thread_id": "5028", "caller": "0x03a54616", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae0e0" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-06-29 22:14:59,156", "thread_id": "5028", "caller": "0x03a5463e", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharLowerA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae140" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-06-29 22:14:59,156", "thread_id": "5028", "caller": "0x03a54699", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "lstrcmpiA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7514e800" } ], "repeated": 31, "id": 47 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a545ee", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae100" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54616", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae0e0" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a5463e", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharLowerA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae140" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54699", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "lstrcmpiA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7514e800" } ], "repeated": 31, "id": 51 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a545ee", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae100" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54616", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae0e0" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a5463e", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharLowerA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae140" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54699", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "lstrcmpiA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7514e800" } ], "repeated": 31, "id": 55 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a545ee", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae100" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54616", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae0e0" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a5463e", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharLowerA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae140" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54699", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "lstrcmpiA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7514e800" } ], "repeated": 31, "id": 59 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a545ee", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae100" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54616", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae0e0" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a5463e", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharLowerA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae140" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54699", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "lstrcmpiA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7514e800" } ], "repeated": 31, "id": 63 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a545ee", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae100" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54616", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae0e0" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a5463e", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharLowerA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae140" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54699", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "lstrcmpiA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7514e800" } ], "repeated": 31, "id": 67 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a545ee", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae100" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54616", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae0e0" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a5463e", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharLowerA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae140" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54699", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "lstrcmpiA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7514e800" } ], "repeated": 31, "id": 71 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a545ee", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae100" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54616", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae0e0" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a5463e", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharLowerA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae140" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54699", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "lstrcmpiA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7514e800" } ], "repeated": 31, "id": 75 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a545ee", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae100" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54616", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae0e0" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a5463e", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharLowerA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae140" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54699", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "lstrcmpiA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7514e800" } ], "repeated": 31, "id": 79 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a545ee", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae100" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54616", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae0e0" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a5463e", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharLowerA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae140" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54699", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "lstrcmpiA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7514e800" } ], "repeated": 31, "id": 83 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a545ee", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae100" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54616", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharAlphaNumericA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae0e0" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a5463e", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsCharLowerA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75dae140" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-06-29 22:14:59,172", "thread_id": "5028", "caller": "0x03a54699", "parentcaller": "0x03a55c77", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "lstrcmpiA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7514e800" } ], "repeated": 8, "id": 87 }, { "timestamp": "2026-06-29 22:14:59,750", "thread_id": "5028", "caller": "0x03a5843c", "parentcaller": "0x03a586fc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04cd0000" }, { "name": "RegionSize", "value": "0x00041000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-06-29 22:14:59,750", "thread_id": "5028", "caller": "0x03a57c3a", "parentcaller": "0x03a5834d", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-06-29 22:15:00,953", "thread_id": "5028", "caller": "0x03a547df", "parentcaller": "0x03a55c77", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02280000" }, { "name": "RegionSize", "value": "0x00019000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-06-29 22:15:00,953", "thread_id": "5028", "caller": "0x03a54819", "parentcaller": "0x03a55c77", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04cd0000" }, { "name": "RegionSize", "value": "0x00041000" }, { "name": "FreeType", "value": "0x00008000" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-06-29 22:15:00,953", "thread_id": "5028", "caller": "0x03a54917", "parentcaller": "0x03a55c77", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x022a0000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-06-29 22:15:00,953", "thread_id": "5028", "caller": "0x03a54940", "parentcaller": "0x03a55c77", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x023d0000" }, { "name": "RegionSize", "value": "0x0001d000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-06-29 22:15:00,968", "thread_id": "5028", "caller": "0x03a549dd", "parentcaller": "0x03a55c77", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x022a0000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "FreeType", "value": "0x00008000" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-06-29 22:15:00,968", "thread_id": "5028", "caller": "0x03a54a0d", "parentcaller": "0x03a55c77", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02280000" }, { "name": "RegionSize", "value": "0x00019000" }, { "name": "FreeType", "value": "0x00008000" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-06-29 22:15:01,000", "thread_id": "5028", "caller": "0x03a5665c", "parentcaller": "0x03a54c2d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00400000" }, { "name": "ModuleName", "value": "invoice_231836298371.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00041000" }, { "name": "MemoryType", "value": "0x01000000" }, { "name": "NewAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-06-29 22:15:01,000", "thread_id": "5028", "caller": "0x03a567b5", "parentcaller": "0x03a54c2d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00400000" }, { "name": "ModuleName", "value": "invoice_231836298371.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-06-29 22:15:01,000", "thread_id": "5028", "caller": "0x03a56040", "parentcaller": "0x03a56a6e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-06-29 22:15:01,000", "thread_id": "5028", "caller": "0x03a56040", "parentcaller": "0x03a56a6e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "KERNEL32.dll" }, { "name": "ModuleHandle", "value": "0x75130000" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-06-29 22:15:01,000", "thread_id": "5028", "caller": "0x03a56040", "parentcaller": "0x03a56a6e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "WS2_32.dll" }, { "name": "ModuleHandle", "value": "0x762b0000" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-06-29 22:15:01,000", "thread_id": "5028", "caller": "0x03a56040", "parentcaller": "0x03a56a6e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x75670000" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-06-29 22:15:01,000", "thread_id": "5028", "caller": "0x03a56040", "parentcaller": "0x03a56a6e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x76320000" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-06-29 22:15:01,047", "thread_id": "5028", "caller": "0x03a56ae5", "parentcaller": "0x03a54c2d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00400000" }, { "name": "ModuleName", "value": "invoice_231836298371.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-06-29 22:15:01,047", "thread_id": "5028", "caller": "0x03a54c5d", "parentcaller": "0x03a55c77", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x023d0000" }, { "name": "RegionSize", "value": "0x0001d000" }, { "name": "FreeType", "value": "0x00008000" } ], "repeated": 0, "id": 104 }, { "timestamp": "2026-06-29 22:15:01,047", "thread_id": "5028", "caller": "0x00401e9b", "parentcaller": "0x03a283d1", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x00651030", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe\" " } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-06-29 22:15:01,047", "thread_id": "5028", "caller": "0x004020c3", "parentcaller": "0x00401abe", "category": "synchronization", "api": "NtCreateEvent", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" }, { "name": "EventName", "value": "\\BaseNamedObjects\\Restricted\\{0C5AB9CD-2F90-6754-8374-21D4DAB28CC1}" }, { "name": "EventType", "value": "1" }, { "name": "InitialState", "value": "0" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-06-29 22:15:01,047", "thread_id": "5028", "caller": "0x00401ace", "parentcaller": "0x00401efc", "category": "network", "api": "WSAStartup", "status": true, "return": "0x00000000", "arguments": [ { "name": "VersionRequested", "value": "0x00000202" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-06-29 22:15:01,047", "thread_id": "5028", "caller": "0x00402bc6", "parentcaller": "0x00401ad3", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000260" }, { "name": "Options", "value": "0x00000006" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-06-29 22:15:01,047", "thread_id": "5028", "caller": "0x00403966", "parentcaller": "0x00401ad3", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\mswsock" }, { "name": "DllBase", "value": "0x74290000" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-06-29 22:15:01,047", "thread_id": "5028", "caller": "0x00403966", "parentcaller": "0x00401ad3", "category": "network", "api": "WSASocketW", "status": true, "return": "0x00000274", "arguments": [ { "name": "af", "value": "2", "pretty_value": "AF_INET" }, { "name": "type", "value": "1", "pretty_value": "SOCK_STREAM" }, { "name": "protocol", "value": "6", "pretty_value": "IPPROTO_TCP" }, { "name": "socket", "value": "628" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00403987", "parentcaller": "0x00401ad3", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000274" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "T\\x00\\x00\\x00\\x8c\\x06f\\x00" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00403e56", "parentcaller": "0x004034b1", "category": "network", "api": "WSASocketW", "status": true, "return": "0x00000278", "arguments": [ { "name": "af", "value": "2", "pretty_value": "AF_INET" }, { "name": "type", "value": "2", "pretty_value": "SOCK_DGRAM" }, { "name": "protocol", "value": "17", "pretty_value": "IPPROTO_UDP" }, { "name": "socket", "value": "632" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00403e90", "parentcaller": "0x004034b1", "category": "network", "api": "setsockopt", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "632" }, { "name": "level", "value": "0x0000ffff" }, { "name": "optname", "value": "0x00000020" }, { "name": "optval", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00403e9f", "parentcaller": "0x004034b1", "category": "network", "api": "bind", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "632" }, { "name": "ip", "value": "0.0.0.0" }, { "name": "port", "value": "0" } ], "repeated": 0, "id": 114 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00403ec0", "parentcaller": "0x004034b1", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000278" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "T\\x00\\x00\\x00\\x8c\\x06f\\x00" } ], "repeated": 0, "id": 115 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00403fbb", "parentcaller": "0x004034cd", "category": "network", "api": "WSARecvFrom", "status": false, "return": "0xffffffffffffffff", "arguments": [ { "name": "socket", "value": "632" }, { "name": "ip", "value": "" }, { "name": "port", "value": "0" } ], "repeated": 0, "id": 116 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00404056", "parentcaller": "0x00402bf5", "category": "system", "api": "CreateTimerQueueTimer", "status": true, "return": "0x00000001", "arguments": [ { "name": "phNewTimer", "value": "0x0066b898" }, { "name": "TimerQueue", "value": "0x00000000" }, { "name": "Callback", "value": "0x0040401a" }, { "name": "Parameter", "value": "0x00669d00" }, { "name": "DueTime", "value": "5000" }, { "name": "Period", "value": "0" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 117 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00403f40", "parentcaller": "0x004033f1", "category": "network", "api": "WSASendTo", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "632" }, { "name": "ip", "value": "8.8.8.8" }, { "name": "port", "value": "53" }, { "name": "Buffer", "value": "33\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01j\\x07maxmind\\x03com\\x00\\x00\\x01\\x00\\x01" } ], "repeated": 0, "id": 118 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "CRYPTSP.dll" } ], "repeated": 0, "id": 119 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "2816", "caller": "0x76f51b4e", "parentcaller": "0x76f4daf1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000007c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 1, "id": 120 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\cryptsp.dll" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000027c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\cryptsp.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000280" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000027c" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\cryptsp.dll" } ], "repeated": 0, "id": 123 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000280" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74270000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00013000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 124 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74280000" }, { "name": "ModuleName", "value": "CRYPTSP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 125 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 126 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7427f000" }, { "name": "ModuleName", "value": "CRYPTSP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000280" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7427f000" }, { "name": "ModuleName", "value": "CRYPTSP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 132 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 133 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 134 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\CRYPTSP.dll" } ], "repeated": 0, "id": 135 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000027c" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\cryptsp.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-06-29 22:15:01,062", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\CRYPTSP" }, { "name": "DllBase", "value": "0x74270000" } ], "repeated": 0, "id": 138 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\cryptsp" }, { "name": "BaseAddress", "value": "0x74270000" }, { "name": "InitRoutine", "value": "0x74275d30" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x756e3000" }, { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x756e3000" }, { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 141 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "2816", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 142 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "2816", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 143 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\rsaenh" }, { "name": "DllBase", "value": "0x74240000" } ], "repeated": 0, "id": 144 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "2816", "caller": "0x00403fe8", "parentcaller": "0x004037d7", "category": "network", "api": "closesocket", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "632" } ], "repeated": 0, "id": 145 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "2816", "caller": "0x00402b58", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 146 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "2816", "caller": "0x004039d2", "parentcaller": "0x00000000", "category": "network", "api": "closesocket", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "628" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x769d0000" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x00401a85", "parentcaller": "0x00401ad3", "category": "crypto", "api": "CryptAcquireContextW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Container", "value": "" }, { "name": "Provider", "value": "Microsoft Base Cryptographic Provider v1.0" }, { "name": "Flags", "value": "0xf0000000" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x00401a95", "parentcaller": "0x00401ad3", "category": "crypto", "api": "CryptGenRandom", "status": true, "return": "0x00000001", "arguments": [ { "name": "Buffer", "value": "f\\x9c\\xb2\\xa1" } ], "repeated": 0, "id": 150 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x0040189e", "parentcaller": "0x00401aa5", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Windows" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x00401947", "parentcaller": "0x00401aa5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 152 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x00401ae2", "parentcaller": "0x00401efc", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "4000" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x00403e56", "parentcaller": "0x004029b1", "category": "network", "api": "WSASocketW", "status": true, "return": "0x00000288", "arguments": [ { "name": "af", "value": "2", "pretty_value": "AF_INET" }, { "name": "type", "value": "2", "pretty_value": "SOCK_DGRAM" }, { "name": "protocol", "value": "17", "pretty_value": "IPPROTO_UDP" }, { "name": "socket", "value": "648" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x00403e90", "parentcaller": "0x004029b1", "category": "network", "api": "setsockopt", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "648" }, { "name": "level", "value": "0x0000ffff" }, { "name": "optname", "value": "0x00000020" }, { "name": "optval", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x00403e9f", "parentcaller": "0x004029b1", "category": "network", "api": "bind", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "648" }, { "name": "ip", "value": "0.0.0.0" }, { "name": "port", "value": "0" } ], "repeated": 0, "id": 156 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x00403ec0", "parentcaller": "0x004029b1", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "T\\x00\\x00\\x00\\x8c\\x06f\\x00" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x00403f40", "parentcaller": "0x00402a57", "category": "network", "api": "WSASendTo", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "648" }, { "name": "ip", "value": "85.114.128.127" }, { "name": "port", "value": "53" }, { "name": "Buffer", "value": "!\\xd2\\xfd\\xed\\x8e\\x9c\\x9e\\x98\\x1d9_2:k\\xa4c\r\\xdf\\xc2\\xc9" } ], "repeated": 0, "id": 158 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "5028", "caller": "0x00401b05", "parentcaller": "0x00401efc", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "EventName", "value": "\\BaseNamedObjects\\Restricted\\{A3D35150-6823-4462-8C6E-7417FF841D78}" } ], "repeated": 0, "id": 159 }, { "timestamp": "2026-06-29 22:15:01,078", "thread_id": "2816", "caller": "0x00402a83", "parentcaller": "0x00000000", "category": "network", "api": "closesocket", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "648" } ], "repeated": 0, "id": 160 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00403587", "parentcaller": "0x00401b1e", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00685000" }, { "name": "RegionSize", "value": "0x00035000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00403e56", "parentcaller": "0x004029b1", "category": "network", "api": "WSASocketW", "status": true, "return": "0x00000288", "arguments": [ { "name": "af", "value": "2", "pretty_value": "AF_INET" }, { "name": "type", "value": "2", "pretty_value": "SOCK_DGRAM" }, { "name": "protocol", "value": "17", "pretty_value": "IPPROTO_UDP" }, { "name": "socket", "value": "648" } ], "repeated": 0, "id": 162 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00403e90", "parentcaller": "0x004029b1", "category": "network", "api": "setsockopt", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "648" }, { "name": "level", "value": "0x0000ffff" }, { "name": "optname", "value": "0x00000020" }, { "name": "optval", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 163 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00403e9f", "parentcaller": "0x004029b1", "category": "network", "api": "bind", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "648" }, { "name": "ip", "value": "0.0.0.0" }, { "name": "port", "value": "0" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00403ec0", "parentcaller": "0x004029b1", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "T\\x00\\x00\\x00\\x8c\\x06f\\x00" } ], "repeated": 0, "id": 165 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00403f40", "parentcaller": "0x00402a57", "category": "network", "api": "WSASendTo", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "648" }, { "name": "ip", "value": "85.114.128.127" }, { "name": "port", "value": "53" }, { "name": "Buffer", "value": "!\\xd2\\xfd\\xed\\x0e\\x9c\\x9e\\x98\\x1d9_2:k\\xa4c\\xf92?\\x95" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x004020fb", "parentcaller": "0x00402745", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 167 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x004014d5", "parentcaller": "0x00401b35", "category": "process", "api": "NtOpenProcessToken", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000028" }, { "name": "TokenHandle", "value": "0x00000000" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x004021d8", "parentcaller": "0x00401504", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8\\xf4\\x19\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00+\\xa3Ut\\x94\\xa0Ut\\xff\\xff\\xff\\xff\\xd8hUt(\\x00\\x00\\x00\\x1c\\xa3Utp\\xf5\\x19\\x00\\x06\\xf8\\x00\\x00P\\xf5@\\xf5\\x00\\x00\"\\x00\\xe4\\xde\"\\x00" } ], "repeated": 0, "id": 169 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00402221", "parentcaller": "0x00401504", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000260" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 170 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00402250", "parentcaller": "0x00401504", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000260" }, { "name": "ValueName", "value": "Local AppData" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%USERPROFILE%\\AppData\\Local" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00402263", "parentcaller": "0x00401504", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 172 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00401404", "parentcaller": "0x004016ab", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000260" }, { "name": "DesiredAccess", "value": "0x00120116", "pretty_value": "FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Google" }, { "name": "CreateDisposition", "value": "3", "pretty_value": "FILE_OPEN_IF" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00401404", "parentcaller": "0x0040142c", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000294" }, { "name": "DesiredAccess", "value": "0x00120116", "pretty_value": "FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop" }, { "name": "CreateDisposition", "value": "3", "pretty_value": "FILE_OPEN_IF" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 174 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00401404", "parentcaller": "0x0040142c", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "DesiredAccess", "value": "0x00120116", "pretty_value": "FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install" }, { "name": "CreateDisposition", "value": "3", "pretty_value": "FILE_OPEN_IF" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 175 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00401404", "parentcaller": "0x0040142c", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000298" }, { "name": "DesiredAccess", "value": "0x00120116", "pretty_value": "FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}" }, { "name": "CreateDisposition", "value": "3", "pretty_value": "FILE_OPEN_IF" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 176 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00401404", "parentcaller": "0x0040142c", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000029c" }, { "name": "DesiredAccess", "value": "0x00120116", "pretty_value": "FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9" }, { "name": "CreateDisposition", "value": "3", "pretty_value": "FILE_OPEN_IF" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 177 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00401404", "parentcaller": "0x0040142c", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002a0" }, { "name": "DesiredAccess", "value": "0x00120116", "pretty_value": "FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368" }, { "name": "CreateDisposition", "value": "3", "pretty_value": "FILE_OPEN_IF" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 178 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00401404", "parentcaller": "0x0040142c", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002a4" }, { "name": "DesiredAccess", "value": "0x00120116", "pretty_value": "FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b" }, { "name": "CreateDisposition", "value": "3", "pretty_value": "FILE_OPEN_IF" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 179 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00401437", "parentcaller": "0x0040142c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a0" } ], "repeated": 0, "id": 180 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00401437", "parentcaller": "0x0040142c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 181 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00401437", "parentcaller": "0x0040142c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 182 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00401437", "parentcaller": "0x0040142c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 183 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00401437", "parentcaller": "0x0040142c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" } ], "repeated": 0, "id": 184 }, { "timestamp": "2026-06-29 22:15:01,093", "thread_id": "5028", "caller": "0x00401437", "parentcaller": "0x004016ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 185 }, { "timestamp": "2026-06-29 22:15:01,109", "thread_id": "5028", "caller": "0x004016ea", "parentcaller": "0x00401b35", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000294" }, { "name": "DesiredAccess", "value": "0x001e0116", "pretty_value": "FILE_GENERIC_WRITE|WRITE_DAC|WRITE_OWNER" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}" }, { "name": "CreateDisposition", "value": "3", "pretty_value": "FILE_OPEN_IF" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 186 }, { "timestamp": "2026-06-29 22:15:01,109", "thread_id": "5028", "caller": "0x00402619", "parentcaller": "0x004012ac", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe" } ], "repeated": 0, "id": 187 }, { "timestamp": "2026-06-29 22:15:01,109", "thread_id": "5028", "caller": "0x00402658", "parentcaller": "0x004012ac", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 188 }, { "timestamp": "2026-06-29 22:15:01,109", "thread_id": "5028", "caller": "0x00402674", "parentcaller": "0x004012ac", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\xe0\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xdc\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 189 }, { "timestamp": "2026-06-29 22:15:01,109", "thread_id": "5028", "caller": "0x00402696", "parentcaller": "0x004012ac", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000298" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000288" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe" } ], "repeated": 0, "id": 190 }, { "timestamp": "2026-06-29 22:15:01,109", "thread_id": "5028", "caller": "0x004026b7", "parentcaller": "0x004012ac", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000298" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x03a70000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0003e000" }, { "name": "Win32Protect", "value": "0x00000008", "pretty_value": "PAGE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 191 }, { "timestamp": "2026-06-29 22:15:01,109", "thread_id": "5028", "caller": "0x004026ef", "parentcaller": "0x004012ac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 192 }, { "timestamp": "2026-06-29 22:15:01,109", "thread_id": "5028", "caller": "0x004026f4", "parentcaller": "0x004012ac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 193 }, { "timestamp": "2026-06-29 22:15:01,109", "thread_id": "5028", "caller": "0x00402583", "parentcaller": "0x004012be", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "DesiredAccess", "value": "0x001c0104", "pretty_value": "FILE_APPEND_DATA|FILE_WRITE_ATTRIBUTES|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\GoogleUpdate.exe" }, { "name": "CreateDisposition", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000006", "pretty_value": "FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 194 }, { "timestamp": "2026-06-29 22:15:01,109", "thread_id": "5028", "caller": "0x004025c6", "parentcaller": "0x004012be", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\GoogleUpdate.exe" }, { "name": "Buffer", "value": "MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x0e\\x1f\\xba\\x0e\\x00\\xb4\t\\xcd!\\xb8\\x01L\\xcd!This program cannot be run in DOS mode.\r\r\n$\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd1A\\xd4B\\x95 \\xba\\x11\\x95 \\xba\\x11\\x95 \\xba\\x11\\x9cX/\\x11\\x94 \\xba\\x11\\x9cX)\\x11\\x9e \\xba\\x11\\x95 \\xbb\\x11\\xc3 \\xba\\x11\\x8e\\xbd\\x15\\x11\\x86 \\xba\\x11\\x8e\\xbd!\\x11\\x94 \\xba\\x11\\x8e\\xbd \\x11\\x94 \\xba\\x11\\x8e\\xbd'\\x11\\x94 \\xba\\x11Rich\\x95 \\xba\\x11\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00PE\\x00\\x00L\\x01\\x06\\x00#'\\x93R\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x00\\x02\\x01\\x0b\\x01\n\\x00\\x004\\x02\\x00\\x00\\xa4\\x01\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "252928" } ], "repeated": 0, "id": 195 }, { "timestamp": "2026-06-29 22:15:01,125", "thread_id": "5028", "caller": "0x004025db", "parentcaller": "0x004012be", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 196 }, { "timestamp": "2026-06-29 22:15:01,125", "thread_id": "5028", "caller": "0x004012cb", "parentcaller": "0x0040174e", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x03a70000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 197 }, { "timestamp": "2026-06-29 22:15:01,125", "thread_id": "5028", "caller": "0x004020fb", "parentcaller": "0x0040132c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 198 }, { "timestamp": "2026-06-29 22:15:01,125", "thread_id": "5028", "caller": "0x00402583", "parentcaller": "0x0040135a", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "DesiredAccess", "value": "0x001c0104", "pretty_value": "FILE_APPEND_DATA|FILE_WRITE_ATTRIBUTES|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\HarddiskVolume2\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\@" }, { "name": "CreateDisposition", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000006", "pretty_value": "FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 199 }, { "timestamp": "2026-06-29 22:15:01,125", "thread_id": "5028", "caller": "0x004025c6", "parentcaller": "0x0040135a", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "HandleName", "value": "\\Device\\HarddiskVolume2\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\@" }, { "name": "Buffer", "value": "\\xc4\\xd6(,\\xe5\\xf6rW\\x1b\\x03\\xc2j\\xe4\\xf6rW\\xba]\\xb4\\xbe\\xe3\\xf6rWL\\x18W0\\xe2\\xf6rW[\\xde?\\x1f\\xe1\\xf6rWy\\xfeN\\xf6\\xe0\\xf6rW\\xb5\\xbc=\\x0f\\xdf\\xf6rW\\xc5\\x06.\\x97\\xde\\xf6rW\\xabbjB\\xdd\\xf6rW\\xc2\\x98\nh\\xdc\\xf6rWw\\xea\\x99\\\\xdb\\xf6rWS\\xe9\\x96\n\\xda\\xf6rW\\x05R\\xa1\\x11\\xd9\\xf6rWZ\\x9df\\xda\\xd8\\xf6rW\\xbc\\xf6=\\x94\\xd7\\xf6rW\\x05\\x0e~F\\xd6\\xf6rW_]eW\\xd5\\xf6rWP\\xf5\\xb2C\\xd4\\xf6rWs\\xa7Ce\\xd3\\xf6rWy6\\x0e\\x95\\xd2\\xf6rW\\xc8K\\xf6@\\xd1\\xf6rW\\xcb`\\x04Z\\xd0\\xf6rW\\xbcq\\x7f\\x90\\xcf\\xf6rW%\\xfc\\x7f4\\xce\\xf6rW)\\xdc\\xad\\x12\\xcd\\xf6rW<0\\xfe\\x07\\xcc\\xf6rW\\xbd\\xdc\\xb7j\\xcb\\xf6rWO\\x8dwW\\xca\\xf6rW_A&\\x84\\xc9\\xf6rWSc\\xd5\\xb8\\xc8\\xf6rWM\\xddIF\\xc7\\xf6rW\\xb2Y\\xa8\\xc0\\xc6\\xf6rW" }, { "name": "Length", "value": "2048" } ], "repeated": 0, "id": 200 }, { "timestamp": "2026-06-29 22:15:01,125", "thread_id": "5028", "caller": "0x004025db", "parentcaller": "0x0040135a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 201 }, { "timestamp": "2026-06-29 22:15:01,125", "thread_id": "5028", "caller": "0x00401262", "parentcaller": "0x00401387", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "DesiredAccess", "value": "0x001e0116", "pretty_value": "FILE_GENERIC_WRITE|WRITE_DAC|WRITE_OWNER" }, { "name": "FileName", "value": "\\Device\\HarddiskVolume2\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\U" }, { "name": "CreateDisposition", "value": "3", "pretty_value": "FILE_OPEN_IF" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000006", "pretty_value": "FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 202 }, { "timestamp": "2026-06-29 22:15:01,125", "thread_id": "5028", "caller": "0x00401283", "parentcaller": "0x00401387", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 203 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00401262", "parentcaller": "0x004013b8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "DesiredAccess", "value": "0x001e0116", "pretty_value": "FILE_GENERIC_WRITE|WRITE_DAC|WRITE_OWNER" }, { "name": "FileName", "value": "\\Device\\HarddiskVolume2\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\L" }, { "name": "CreateDisposition", "value": "3", "pretty_value": "FILE_OPEN_IF" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000006", "pretty_value": "FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 204 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00401283", "parentcaller": "0x004013b8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 205 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00403e56", "parentcaller": "0x004029b1", "category": "network", "api": "WSASocketW", "status": true, "return": "0x00000288", "arguments": [ { "name": "af", "value": "2", "pretty_value": "AF_INET" }, { "name": "type", "value": "2", "pretty_value": "SOCK_DGRAM" }, { "name": "protocol", "value": "17", "pretty_value": "IPPROTO_UDP" }, { "name": "socket", "value": "648" } ], "repeated": 0, "id": 206 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00403e90", "parentcaller": "0x004029b1", "category": "network", "api": "setsockopt", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "648" }, { "name": "level", "value": "0x0000ffff" }, { "name": "optname", "value": "0x00000020" }, { "name": "optval", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 207 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00403e9f", "parentcaller": "0x004029b1", "category": "network", "api": "bind", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "648" }, { "name": "ip", "value": "0.0.0.0" }, { "name": "port", "value": "0" } ], "repeated": 0, "id": 208 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00403ec0", "parentcaller": "0x004029b1", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "T\\x00\\x00\\x00\\x8c\\x06f\\x00" } ], "repeated": 0, "id": 209 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00403f40", "parentcaller": "0x00402a57", "category": "network", "api": "WSASendTo", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "648" }, { "name": "ip", "value": "85.114.128.127" }, { "name": "port", "value": "53" }, { "name": "Buffer", "value": "!\\xd2\\xfd\\xed\\x0f\\x9c\\x9e\\x98\\x1d9_2:k\\xa4ch\\xa3W;" } ], "repeated": 0, "id": 210 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00401014", "parentcaller": "0x00401839", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xf3\\x19\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x18\\xf4\\x19\\x00t~~\\x02\\x10\\xf4\\x19\\x00\\x7fb\\xf4v%\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x028\\xf4\\x19\\x00\\x88\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 211 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x0040105a", "parentcaller": "0x00401839", "category": "registry", "api": "NtCreateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000298" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" }, { "name": "Class", "value": "" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 212 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "2816", "caller": "0x00402a83", "parentcaller": "0x00000000", "category": "network", "api": "closesocket", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "648" } ], "repeated": 0, "id": 213 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00401081", "parentcaller": "0x00401839", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000298" }, { "name": "ValueName", "value": "Google Update\\x00\\x202e\\x2764" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Buffer", "value": "\"C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\GoogleUpdate.exe\" >" }, { "name": "BufferLength", "value": "328" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Google Update\\x00\\x202e\\x2764\\x695c" } ], "repeated": 0, "id": 214 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00401093", "parentcaller": "0x00401839", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 215 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00403e56", "parentcaller": "0x004029b1", "category": "network", "api": "WSASocketW", "status": true, "return": "0x00000298", "arguments": [ { "name": "af", "value": "2", "pretty_value": "AF_INET" }, { "name": "type", "value": "2", "pretty_value": "SOCK_DGRAM" }, { "name": "protocol", "value": "17", "pretty_value": "IPPROTO_UDP" }, { "name": "socket", "value": "664" } ], "repeated": 0, "id": 216 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00403e90", "parentcaller": "0x004029b1", "category": "network", "api": "setsockopt", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "664" }, { "name": "level", "value": "0x0000ffff" }, { "name": "optname", "value": "0x00000020" }, { "name": "optval", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 217 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00403e9f", "parentcaller": "0x004029b1", "category": "network", "api": "bind", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "664" }, { "name": "ip", "value": "0.0.0.0" }, { "name": "port", "value": "0" } ], "repeated": 0, "id": 218 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00403ec0", "parentcaller": "0x004029b1", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000298" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "T\\x00\\x00\\x00\\x8c\\x06f\\x00" } ], "repeated": 0, "id": 219 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00403f40", "parentcaller": "0x00402a57", "category": "network", "api": "WSASendTo", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "664" }, { "name": "ip", "value": "85.114.128.127" }, { "name": "port", "value": "53" }, { "name": "Buffer", "value": "!\\xd2\\xfd\\xed\\x0c\\x9c\\x9e\\x98\\x1d9_2:k\\xa4c\\x9a\\x17\\x9f\\x12" } ], "repeated": 0, "id": 220 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "2816", "caller": "0x00402a83", "parentcaller": "0x00000000", "category": "network", "api": "closesocket", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "664" } ], "repeated": 0, "id": 221 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x0040185b", "parentcaller": "0x00401b35", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" } ], "repeated": 0, "id": 222 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00401867", "parentcaller": "0x00401b35", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" } ], "repeated": 0, "id": 223 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00403e56", "parentcaller": "0x004029b1", "category": "network", "api": "WSASocketW", "status": true, "return": "0x00000298", "arguments": [ { "name": "af", "value": "2", "pretty_value": "AF_INET" }, { "name": "type", "value": "2", "pretty_value": "SOCK_DGRAM" }, { "name": "protocol", "value": "17", "pretty_value": "IPPROTO_UDP" }, { "name": "socket", "value": "664" } ], "repeated": 0, "id": 224 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00403e90", "parentcaller": "0x004029b1", "category": "network", "api": "setsockopt", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "664" }, { "name": "level", "value": "0x0000ffff" }, { "name": "optname", "value": "0x00000020" }, { "name": "optval", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 225 }, { "timestamp": "2026-06-29 22:15:01,140", "thread_id": "5028", "caller": "0x00403e9f", "parentcaller": "0x004029b1", "category": "network", "api": "bind", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "664" }, { "name": "ip", "value": "0.0.0.0" }, { "name": "port", "value": "0" } ], "repeated": 0, "id": 226 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00403ec0", "parentcaller": "0x004029b1", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000298" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "T\\x00\\x00\\x00\\x8c\\x06f\\x00" } ], "repeated": 0, "id": 227 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00403f40", "parentcaller": "0x00402a57", "category": "network", "api": "WSASendTo", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "664" }, { "name": "ip", "value": "85.114.128.127" }, { "name": "port", "value": "53" }, { "name": "Buffer", "value": "!\\xd2\\xfd\\xed\r\\x9c\\x9e\\x98\\x1d9_2:k\\xa4c\\x0b\\x86\\xf7\\xbc" } ], "repeated": 0, "id": 228 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00402025", "parentcaller": "0x00401b5e", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "EventName", "value": "\\BaseNamedObjects\\Restricted\\{A3D35150-6823-4462-8C6E-7417FF841D77}" } ], "repeated": 0, "id": 229 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00402050", "parentcaller": "0x00401b5e", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "EventName", "value": "\\BaseNamedObjects\\{81D05F9A-5343-439f-ACAB-E7822E4416F9}" } ], "repeated": 0, "id": 230 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00401972", "parentcaller": "0x00401b70", "category": "process", "api": "NtOpenProcessToken", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000028" }, { "name": "TokenHandle", "value": "0x00000000" } ], "repeated": 0, "id": 231 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x0040198d", "parentcaller": "0x00401b70", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002a4" } ], "repeated": 0, "id": 232 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "2816", "caller": "0x00402a83", "parentcaller": "0x00000000", "category": "network", "api": "closesocket", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "664" } ], "repeated": 0, "id": 233 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x004019aa", "parentcaller": "0x00401b70", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "19" }, { "name": "TokenInformation", "value": "\\x88\\x02\\x00\\x00" } ], "repeated": 0, "id": 234 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x004019ed", "parentcaller": "0x00401b70", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "3" }, { "name": "TokenInformation", "value": "\\x04\\x00\\x00\\x00\\x04\\xf8\\x19\\x00\\x00\\x00\\x01\\x00\\xd4\\xf7\\xc8\\xf7\\xff\\xff\\x00\\x00\\x8c\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x10\\xf8\\x19\\x00\\xaa\\x19@\\x00\\xa4\\x02\\x00\\x00\\x13\\x00\\x00\\x00\\x04\\xf8\\x19\\x00\\x8c\\x03\\x97t\\xd5\\x19@\\x00" } ], "repeated": 0, "id": 235 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x004019ed", "parentcaller": "0x00401b70", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "3" }, { "name": "TokenInformation", "value": "\\x19\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 236 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00401a00", "parentcaller": "0x00401b70", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 237 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00401a28", "parentcaller": "0x00401b70", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" } ], "repeated": 0, "id": 238 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00403e56", "parentcaller": "0x004029b1", "category": "network", "api": "WSASocketW", "status": true, "return": "0x000002a4", "arguments": [ { "name": "af", "value": "2", "pretty_value": "AF_INET" }, { "name": "type", "value": "2", "pretty_value": "SOCK_DGRAM" }, { "name": "protocol", "value": "17", "pretty_value": "IPPROTO_UDP" }, { "name": "socket", "value": "676" } ], "repeated": 0, "id": 239 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00403e90", "parentcaller": "0x004029b1", "category": "network", "api": "setsockopt", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "676" }, { "name": "level", "value": "0x0000ffff" }, { "name": "optname", "value": "0x00000020" }, { "name": "optval", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 240 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00403e9f", "parentcaller": "0x004029b1", "category": "network", "api": "bind", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "676" }, { "name": "ip", "value": "0.0.0.0" }, { "name": "port", "value": "0" } ], "repeated": 0, "id": 241 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00403ec0", "parentcaller": "0x004029b1", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002a4" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "T\\x00\\x00\\x00\\x8c\\x06f\\x00" } ], "repeated": 0, "id": 242 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00403f40", "parentcaller": "0x00402a57", "category": "network", "api": "WSASendTo", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "676" }, { "name": "ip", "value": "85.114.128.127" }, { "name": "port", "value": "53" }, { "name": "Buffer", "value": "!\\xd2\\xfd\\xed\\x8c\\x9c\\x9e\\x98\\x1d9_2:k\\xa4cn\\xfabN" } ], "repeated": 0, "id": 243 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00402619", "parentcaller": "0x00402800", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe" } ], "repeated": 0, "id": 244 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "2816", "caller": "0x00402a83", "parentcaller": "0x00000000", "category": "network", "api": "closesocket", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "676" } ], "repeated": 0, "id": 245 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00402658", "parentcaller": "0x00402800", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 246 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00402674", "parentcaller": "0x00402800", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\xe0\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xdc\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 247 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00402696", "parentcaller": "0x00402800", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000260" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000288" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe" } ], "repeated": 0, "id": 248 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x004026b7", "parentcaller": "0x00402800", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000260" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x03a70000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0003e000" }, { "name": "Win32Protect", "value": "0x00000008", "pretty_value": "PAGE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 249 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x004026ef", "parentcaller": "0x00402800", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 250 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x004026f4", "parentcaller": "0x00402800", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 251 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x004020fb", "parentcaller": "0x00402745", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 252 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00402583", "parentcaller": "0x00402836", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "DesiredAccess", "value": "0x001c0104", "pretty_value": "FILE_APPEND_DATA|FILE_WRITE_ATTRIBUTES|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\msimg32.dll" }, { "name": "CreateDisposition", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000006", "pretty_value": "FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 253 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x004025c6", "parentcaller": "0x00402836", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\msimg32.dll" }, { "name": "Buffer", "value": "MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x0e\\x1f\\xba\\x0e\\x00\\xb4\t\\xcd!\\xb8\\x01L\\xcd!This program cannot be run in DOS mode.\r\r\n$\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd1A\\xd4B\\x95 \\xba\\x11\\x95 \\xba\\x11\\x95 \\xba\\x11\\x9cX/\\x11\\x94 \\xba\\x11\\x9cX)\\x11\\x9e \\xba\\x11\\x95 \\xbb\\x11\\xc3 \\xba\\x11\\x8e\\xbd\\x15\\x11\\x86 \\xba\\x11\\x8e\\xbd!\\x11\\x94 \\xba\\x11\\x8e\\xbd \\x11\\x94 \\xba\\x11\\x8e\\xbd'\\x11\\x94 \\xba\\x11Rich\\x95 \\xba\\x11\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00PE\\x00\\x00L\\x01\\x06\\x00#'\\x93R\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x00\\x02!\\x0b\\x01\n\\x00\\x004\\x02\\x00\\x00\\xa4\\x01\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "252928" } ], "repeated": 0, "id": 254 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x004025db", "parentcaller": "0x00402836", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 255 }, { "timestamp": "2026-06-29 22:15:01,156", "thread_id": "5028", "caller": "0x00402843", "parentcaller": "0x00401b85", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x03a70000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 256 }, { "timestamp": "2026-06-29 22:15:01,172", "thread_id": "5028", "caller": "0x00402583", "parentcaller": "0x00402890", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000260" }, { "name": "DesiredAccess", "value": "0x001c0104", "pretty_value": "FILE_APPEND_DATA|FILE_WRITE_ATTRIBUTES|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000006", "pretty_value": "FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 257 }, { "timestamp": "2026-06-29 22:15:01,172", "thread_id": "5028", "caller": "0x004025c6", "parentcaller": "0x00402890", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000260" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "Buffer", "value": "MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x0e\\x1f\\xba\\x0e\\x00\\xb4\t\\xcd!\\xb8\\x01L\\xcd!This program cannot be run in DOS mode.\r\r\n$\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8f\\xb2\\x96\\x94\\xcb\\xd3\\xf8\\xc7\\xcb\\xd3\\xf8\\xc7\\xcb\\xd3\\xf8\\xc7\\xd5\\x81|\\xc7\\xc8\\xd3\\xf8\\xc7\\xec\\x15\\x83\\xc7\\xc8\\xd3\\xf8\\xc7\\xcb\\xd3\\xf9\\xc7\\xbf\\xd3\\xf8\\xc7\\xc2\\xab|\\xc7\\xc0\\xd3\\xf8\\xc7\\xc2\\xab{\\xc7\\xce\\xd3\\xf8\\xc7\\xd5\\x81l\\xc7\\xca\\xd3\\xf8\\xc7\\xcb\\xd3o\\xc7\\xca\\xd3\\xf8\\xc7\\xc2\\xabi\\xc7\\xca\\xd3\\xf8\\xc7Rich\\xcb\\xd3\\xf8\\xc7\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00PE\\x00\\x00L\\x01\\x05\\x00S\\x14}N\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "89248" } ], "repeated": 0, "id": 258 }, { "timestamp": "2026-06-29 22:15:01,172", "thread_id": "5028", "caller": "0x004025db", "parentcaller": "0x00402890", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 259 }, { "timestamp": "2026-06-29 22:15:01,172", "thread_id": "5028", "caller": "0x00403e56", "parentcaller": "0x004029b1", "category": "network", "api": "WSASocketW", "status": true, "return": "0x00000260", "arguments": [ { "name": "af", "value": "2", "pretty_value": "AF_INET" }, { "name": "type", "value": "2", "pretty_value": "SOCK_DGRAM" }, { "name": "protocol", "value": "17", "pretty_value": "IPPROTO_UDP" }, { "name": "socket", "value": "608" } ], "repeated": 0, "id": 260 }, { "timestamp": "2026-06-29 22:15:01,172", "thread_id": "5028", "caller": "0x00403e90", "parentcaller": "0x004029b1", "category": "network", "api": "setsockopt", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "608" }, { "name": "level", "value": "0x0000ffff" }, { "name": "optname", "value": "0x00000020" }, { "name": "optval", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 261 }, { "timestamp": "2026-06-29 22:15:01,172", "thread_id": "5028", "caller": "0x00403e9f", "parentcaller": "0x004029b1", "category": "network", "api": "bind", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "608" }, { "name": "ip", "value": "0.0.0.0" }, { "name": "port", "value": "0" } ], "repeated": 0, "id": 262 }, { "timestamp": "2026-06-29 22:15:01,172", "thread_id": "5028", "caller": "0x00403ec0", "parentcaller": "0x004029b1", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000260" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "T\\x00\\x00\\x00\\x8c\\x06f\\x00" } ], "repeated": 0, "id": 263 }, { "timestamp": "2026-06-29 22:15:01,172", "thread_id": "5028", "caller": "0x00403f40", "parentcaller": "0x00402a57", "category": "network", "api": "WSASendTo", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "608" }, { "name": "ip", "value": "85.114.128.127" }, { "name": "port", "value": "53" }, { "name": "Buffer", "value": "!\\xd2\\xfd\\xed\\x85\\x9c\\x9e\\x98\\x1d9_2:k\\xa4c\\xb0\\xf4\\x19\\x93" } ], "repeated": 0, "id": 264 }, { "timestamp": "2026-06-29 22:15:01,172", "thread_id": "2816", "caller": "0x00402a83", "parentcaller": "0x00000000", "category": "network", "api": "closesocket", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "608" } ], "repeated": 0, "id": 265 }, { "timestamp": "2026-06-29 22:15:01,172", "thread_id": "5028", "caller": "0x004028e4", "parentcaller": "0x00401b85", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\SHCORE" }, { "name": "DllBase", "value": "0x755e0000" } ], "repeated": 0, "id": 266 }, { "timestamp": "2026-06-29 22:15:01,172", "thread_id": "5028", "caller": "0x004028e4", "parentcaller": "0x00401b85", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\Wldp" }, { "name": "DllBase", "value": "0x746b0000" } ], "repeated": 0, "id": 267 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "5028", "caller": "0x004028e4", "parentcaller": "0x00401b85", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\windows.storage" }, { "name": "DllBase", "value": "0x746e0000" } ], "repeated": 0, "id": 268 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "5028", "caller": "0x004028e4", "parentcaller": "0x00401b85", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000002f0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x756192a0" }, { "name": "Parameter", "value": "0x0019f3f0" }, { "name": "CreateFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "168" }, { "name": "ProcessId", "value": "3236" }, { "name": "Module", "value": "SHCORE.dll" } ], "repeated": 0, "id": 269 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 270 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 271 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7565c000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 272 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7565c000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 273 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x75b94081", "parentcaller": "0x757d2447", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x0000001e" } ], "repeated": 0, "id": 274 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x757d0b62", "parentcaller": "0x757d0b02", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 275 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "kernel.appcore.dll" } ], "repeated": 0, "id": 276 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 277 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e155", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002f8" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 278 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e155", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000002f8" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\kernel.appcore.dll" } ], "repeated": 0, "id": 279 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002fc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74cf0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000f000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 280 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x76f4ffdf", "parentcaller": "0x76f50764", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74cfc000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 281 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 282 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 283 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74cf9000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 284 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e155", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 285 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e155", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" } ], "repeated": 0, "id": 286 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74cf9000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 287 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 288 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 289 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 290 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore.dll" } ], "repeated": 0, "id": 291 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002f8" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 292 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" } ], "repeated": 0, "id": 293 }, { "timestamp": "2026-06-29 22:15:01,187", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x74cf0000" } ], "repeated": 0, "id": 294 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f4dd42", "parentcaller": "0x76f51843", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0xffffffffa9547801", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\kernel.appcore" }, { "name": "BaseAddress", "value": "0x74cf0000" }, { "name": "InitRoutine", "value": "0x74cf47e0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 295 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 296 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 297 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 298 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 299 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f2fae4", "parentcaller": "0x76f2f7cb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00691000" }, { "name": "RegionSize", "value": "0x00029000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 300 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f2f645", "parentcaller": "0x76f479e4", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00691000" }, { "name": "RegionSize", "value": "0x00029000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 301 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "uxtheme.dll" } ], "repeated": 0, "id": 302 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" } ], "repeated": 0, "id": 303 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e155", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000310" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 304 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e155", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000314" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000310" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\uxtheme.dll" } ], "repeated": 0, "id": 305 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000314" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741c0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00074000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 306 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f4ffdf", "parentcaller": "0x76f50764", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7422e000" }, { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 307 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 308 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 309 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7422a000" }, { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 310 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7422a000" }, { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 311 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e155", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" } ], "repeated": 0, "id": 312 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e155", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" } ], "repeated": 0, "id": 313 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 314 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 315 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 316 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\system32\\uxtheme.dll" } ], "repeated": 0, "id": 317 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000310" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 318 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" } ], "repeated": 0, "id": 319 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x741c0000" } ], "repeated": 0, "id": 320 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f412d7", "parentcaller": "0x75ba4945", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04ed0000" }, { "name": "RegionSize", "value": "0x001a0000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 321 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f2fae4", "parentcaller": "0x76f41317", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04ed0000" }, { "name": "RegionSize", "value": "0x00190000" }, { "name": "FreeType", "value": "0x00008000" } ], "repeated": 0, "id": 322 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f41375", "parentcaller": "0x75ba4945", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05060000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 323 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f41375", "parentcaller": "0x75ba4945", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\uxtheme" }, { "name": "BaseAddress", "value": "0x741c0000" }, { "name": "InitRoutine", "value": "0x741f7470" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 324 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x741f457b", "parentcaller": "0x741f434f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 325 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0>\\x1ft\\xe2\\x01\\xdb\\x17" } ], "repeated": 0, "id": 326 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000314" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 327 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000318" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000314" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" } ], "repeated": 0, "id": 328 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000318" }, { "name": "ValueName", "value": "AppsUseLightTheme" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme" } ], "repeated": 0, "id": 329 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" } ], "repeated": 0, "id": 330 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x741f452a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" } ], "repeated": 0, "id": 331 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x75519844", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002fc" } ], "repeated": 0, "id": 332 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x75519865", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 333 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75519888", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 334 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x7514b9a2", "parentcaller": "0x7514b783", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "OleDropTargetInterface" }, { "name": "Atom", "value": "0x0000c020" } ], "repeated": 0, "id": 335 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x7514b9a2", "parentcaller": "0x7514b783", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "OleDropTargetMarshalHwnd" }, { "name": "Atom", "value": "0x0000c021" } ], "repeated": 0, "id": 336 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 337 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 338 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 339 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 340 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7565c000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 341 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7565c000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 342 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 343 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 344 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 345 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 346 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "ValueName", "value": "UseFindFirstFileEnumeration" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\UseFindFirstFileEnumeration" } ], "repeated": 0, "id": 347 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8275", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 348 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 349 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 350 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "ValueName", "value": "UseFindFirstFileEnumeration" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\UseFindFirstFileEnumeration" } ], "repeated": 0, "id": 351 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8334", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 352 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 353 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x000002fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 354 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002fc" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdd\\xd5u\\xba\\x14\\x08\\xdd\\x01\\xdd\\xd5u\\xba\\x14\\x08\\xdd\\x01\\xdd\\xd5u\\xba\\x14\\x08\\xdd\\x01\\xdd\\xd5u\\xba\\x14\\x08\\xdd\\x01\\xa0\\\\x01\\x00\\x00\\x00\\x00\\x00\\x00`\\x01\\x00\\x00\\x00\\x00\\x00&\\x00\\x00\\x00,\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00^\\xac\\x01\\x00\\x00\\x00\\x01\\x00I\\x00n\\x00s\\x00t\\x00a\\x00l\\x00l\\x00F\\x00l\\x00a\\x00s\\x00h\\x00P\\x00l\\x00a\\x00y\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 355 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 356 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "PROPSYS.dll" } ], "repeated": 0, "id": 357 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\PROPSYS.dll" } ], "repeated": 0, "id": 358 }, { "timestamp": "2026-06-29 22:15:01,203", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\propsys.dll" } ], "repeated": 0, "id": 359 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e32b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000318" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\propsys.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 360 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e32b", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000031c" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000318" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\propsys.dll" } ], "repeated": 0, "id": 361 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000031c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x740f0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000c2000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 362 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4ffdf", "parentcaller": "0x76f50764", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 363 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 364 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 365 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a1000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 366 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 0, "id": 367 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" } ], "repeated": 0, "id": 368 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a1000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 369 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 370 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 371 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 372 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\PROPSYS.dll" } ], "repeated": 0, "id": 373 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000318" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\propsys.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 374 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" } ], "repeated": 0, "id": 375 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\PROPSYS" }, { "name": "DllBase", "value": "0x740f0000" } ], "repeated": 0, "id": 376 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 377 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\propsys" }, { "name": "BaseAddress", "value": "0x740f0000" }, { "name": "InitRoutine", "value": "0x74150da0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 378 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76872000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 379 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76872000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 380 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 381 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 382 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 383 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 384 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 385 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 386 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 387 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 388 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 389 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 390 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 391 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 392 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 393 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 394 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 395 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 396 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "ValueName", "value": "NoPropertiesMyComputer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer" } ], "repeated": 0, "id": 397 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 398 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 399 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 400 }, { "timestamp": "2026-06-29 22:15:01,218", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "ValueName", "value": "NoPropertiesMyComputer" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer" } ], "repeated": 0, "id": 401 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 402 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 403 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 404 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "ValueName", "value": "NoPropertiesRecycleBin" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin" } ], "repeated": 0, "id": 405 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 406 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 407 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 408 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "ValueName", "value": "NoPropertiesRecycleBin" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin" } ], "repeated": 0, "id": 409 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 410 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 411 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 412 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "ValueName", "value": "NoControlPanel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" } ], "repeated": 0, "id": 413 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8275", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 414 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 415 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 416 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "ValueName", "value": "NoControlPanel" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" } ], "repeated": 0, "id": 417 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8334", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 418 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 419 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 420 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "ValueName", "value": "NoSetFolders" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders" } ], "repeated": 0, "id": 421 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8275", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 422 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 423 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 424 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "ValueName", "value": "NoSetFolders" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders" } ], "repeated": 0, "id": 425 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8334", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 426 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 427 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 428 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "ValueName", "value": "NoInternetIcon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon" } ], "repeated": 0, "id": 429 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 430 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 431 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 432 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "ValueName", "value": "NoInternetIcon" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon" } ], "repeated": 0, "id": 433 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 434 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 435 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\invoice_231836298371.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\invoice_231836298371.exe" } ], "repeated": 0, "id": 436 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 437 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" } ], "repeated": 0, "id": 438 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "ValueName", "value": "ValidateRegItems" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\ValidateRegItems" } ], "repeated": 0, "id": 439 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 440 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 441 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" } ], "repeated": 0, "id": 442 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "ValueName", "value": "MonitorRegistry" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\MonitorRegistry" } ], "repeated": 0, "id": 443 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 444 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 445 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 446 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 447 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 448 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "ValueName", "value": "NoCommonGroups" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups" } ], "repeated": 0, "id": 449 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 450 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 451 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 452 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "ValueName", "value": "NoCommonGroups" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups" } ], "repeated": 0, "id": 453 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 454 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 455 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 456 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 457 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 458 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 459 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 460 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 461 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 462 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 0, "id": 463 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75ba9b48", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x0f\\x00\\x03\\x008!i\\x00\\x08\"i\\x00PAf\\x00\\x00\\x00e\\x00\\x00\\x00\\x00\\x00\\xcc\\xf0\\xec\\x04\\x16<\\xf4v\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 464 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75ba9bca", "parentcaller": "0x75ba9ac1", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 465 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85a2e", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 0, "id": 466 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 467 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 468 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" } ], "repeated": 0, "id": 469 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000328" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" } ], "repeated": 0, "id": 470 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 471 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 472 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 473 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 474 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xee\\xa4\\xee\\x98\\xee*\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xf1\\xec\\x04\\xbc^\\xb8u*\\x03\\x00\\x00" } ], "repeated": 0, "id": 475 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" } ], "repeated": 0, "id": 476 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000032a" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes" } ], "repeated": 0, "id": 477 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 478 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 479 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xee\\xa4\\xee\\x98\\xee*\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xf1\\xec\\x04\\xbc^\\xb8u*\\x03\\x00\\x00" } ], "repeated": 0, "id": 480 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" } ], "repeated": 0, "id": 481 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000032a" }, { "name": "ValueName", "value": "CallForAttributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes" } ], "repeated": 0, "id": 482 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 483 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 484 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xee\\xa4\\xee\\x98\\xee*\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xf1\\xec\\x04\\xbc^\\xb8u*\\x03\\x00\\x00" } ], "repeated": 0, "id": 485 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" } ], "repeated": 0, "id": 486 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000032a" }, { "name": "ValueName", "value": "RestrictedAttributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes" } ], "repeated": 0, "id": 487 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 488 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 489 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xee\\xa4\\xee\\x98\\xee*\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xf1\\xec\\x04\\xbc^\\xb8u*\\x03\\x00\\x00" } ], "repeated": 0, "id": 490 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" } ], "repeated": 0, "id": 491 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032a" }, { "name": "ValueName", "value": "FolderValueFlags" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1581568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\FolderValueFlags" } ], "repeated": 0, "id": 492 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747ba92e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032a" } ], "repeated": 0, "id": 493 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 494 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 495 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 496 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" } ], "repeated": 0, "id": 497 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 498 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" } ], "repeated": 0, "id": 499 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 500 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" } ], "repeated": 0, "id": 501 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 502 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" } ], "repeated": 0, "id": 503 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "ValueName", "value": "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}" } ], "repeated": 0, "id": 504 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f78aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 505 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002fc" } ], "repeated": 0, "id": 506 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 507 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 508 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 509 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 510 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 511 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 512 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 513 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 514 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 515 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xe9\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xea\\xc4\\xe9\\xb8\\xe9\\xfe\\x02\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xec\\xec\\x04\\xbc^\\xb8u\\xfe\\x02\\x00\\x00" } ], "repeated": 0, "id": 516 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 517 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fe" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\windows.storage.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 518 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fe" } ], "repeated": 0, "id": 519 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 520 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" } ], "repeated": 0, "id": 521 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "ValueName", "value": "ValidateRegItems" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\ValidateRegItems" } ], "repeated": 0, "id": 522 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 523 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 524 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" } ], "repeated": 0, "id": 525 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "ValueName", "value": "MonitorRegistry" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\MonitorRegistry" } ], "repeated": 0, "id": 526 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 527 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 528 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 529 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 530 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 531 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 532 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000008", "pretty_value": "KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "Drive\\shellex\\FolderExtensions" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Drive\\shellex\\FolderExtensions" } ], "repeated": 0, "id": 533 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x00000008", "pretty_value": "KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Drive\\shellex\\FolderExtensions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Drive\\shellex\\FolderExtensions" } ], "repeated": 0, "id": 534 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b81962", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 535 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 536 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xdc\\xf1\\x8c\\xf1\\x80\\xf1\\xfe\\x02\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02(\\xf4\\xec\\x04\\xbc^\\xb8u\\xfe\\x02\\x00\\x00" } ], "repeated": 0, "id": 537 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Drive\\shellex\\FolderExtensions" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Drive\\shellex\\FolderExtensions" } ], "repeated": 0, "id": 538 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b823a7", "parentcaller": "0x75b82302", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fe" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 539 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 540 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 541 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 542 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}" } ], "repeated": 0, "id": 543 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000300" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}" } ], "repeated": 0, "id": 544 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000302" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 545 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000302" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 546 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00D\\xf2\\xf4\\xf1\\xe8\\xf1\\x02\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x90\\xf4\\xec\\x04\\xbc^\\xb8u\\x02\\x03\\x00\\x00" } ], "repeated": 0, "id": 547 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}" } ], "repeated": 0, "id": 548 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000302" }, { "name": "ValueName", "value": "DriveMask" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask" } ], "repeated": 0, "id": 549 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000302" } ], "repeated": 0, "id": 550 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b823a7", "parentcaller": "0x75b82302", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000002fe" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 551 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748212a4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fe" } ], "repeated": 0, "id": 552 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 553 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 554 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x754dd000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 555 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x754dd000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 556 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 557 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 558 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "ValueName", "value": "AllowFileCLSIDJunctions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions" } ], "repeated": 0, "id": 559 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 560 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 561 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 562 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "ValueName", "value": "AllowFileCLSIDJunctions" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions" } ], "repeated": 0, "id": 563 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 564 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8f11f", "parentcaller": "0x7484fed3", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 565 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 566 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap" } ], "repeated": 0, "id": 567 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "ValueName", "value": ".exe" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "program" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap\\.exe" } ], "repeated": 0, "id": 568 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7411820f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 569 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 570 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 571 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 572 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": ".exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 573 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 574 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 575 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 576 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xe7\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xe7L\\xe7@\\xe7\\xfe\\x02\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xe9\\xec\\x04\\xbc^\\xb8u\\xfe\\x02\\x00\\x00" } ], "repeated": 0, "id": 577 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 578 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002fe" }, { "name": "ValueName", "value": "Content Type" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "application/x-msdownload" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type" } ], "repeated": 0, "id": 579 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74118252", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fe" } ], "repeated": 0, "id": 580 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 581 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 582 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 583 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 584 }, { "timestamp": "2026-06-29 22:15:01,234", "thread_id": "168", "caller": "0x7413a16b", "parentcaller": "0x7413df08", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x76a30000" } ], "repeated": 0, "id": 585 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x7413a16b", "parentcaller": "0x7413df08", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1F486A52-3CB1-48FD-8F50-B8DC300D9F9D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ECF31D61-E474-453C-BEE7-DE68E441C6D0" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 586 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 587 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 588 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b8f11f", "parentcaller": "0x74132259", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 589 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2" } ], "repeated": 0, "id": 590 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e2ff", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2" } ], "repeated": 0, "id": 591 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro" } ], "repeated": 0, "id": 592 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e2ff", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000034c" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro" } ], "repeated": 0, "id": 593 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9da9b", "parentcaller": "0x7412de75", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000034c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04ed0000" }, { "name": "SectionOffset", "value": "0x04ece26c" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 594 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db" } ], "repeated": 0, "id": 595 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e2ff", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000350" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db" } ], "repeated": 0, "id": 596 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9da9b", "parentcaller": "0x74122e49", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000350" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04ee0000" }, { "name": "SectionOffset", "value": "0x04ecf114" }, { "name": "ViewSize", "value": "0x00049000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 597 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 598 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 599 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b91571", "parentcaller": "0x75b93f35", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 600 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x75b93f3f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\propsys.dll" } ], "repeated": 0, "id": 601 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b91571", "parentcaller": "0x75b93f4b", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 602 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75ba6b8e", "parentcaller": "0x741327d9", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\propsys.dll" } ], "repeated": 0, "id": 603 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75ba6b8e", "parentcaller": "0x741327d9", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\sysnative\\propsys.dll" } ], "repeated": 0, "id": 604 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2" } ], "repeated": 0, "id": 605 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e2ff", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2" } ], "repeated": 0, "id": 606 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro" } ], "repeated": 0, "id": 607 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e2ff", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000354" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro" } ], "repeated": 0, "id": 608 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9da9b", "parentcaller": "0x7412de75", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000354" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04f30000" }, { "name": "SectionOffset", "value": "0x04ece1c4" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 609 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" } ], "repeated": 0, "id": 610 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e2ff", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000358" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" } ], "repeated": 0, "id": 611 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9da9b", "parentcaller": "0x74122e49", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000358" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04f40000" }, { "name": "SectionOffset", "value": "0x04ecf06c" }, { "name": "ViewSize", "value": "0x0009c000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 612 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b91571", "parentcaller": "0x75b93f35", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 613 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x75b93f3f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\propsys.dll" } ], "repeated": 0, "id": 614 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b91571", "parentcaller": "0x75b93f4b", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 615 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75ba6b8e", "parentcaller": "0x741327d9", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\propsys.dll" } ], "repeated": 0, "id": 616 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75ba6b8e", "parentcaller": "0x741327d9", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\sysnative\\propsys.dll" } ], "repeated": 0, "id": 617 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x76f65cf3", "parentcaller": "0x76f51e9b", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys" } ], "repeated": 0, "id": 618 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x76f51f50", "parentcaller": "0x76f38d78", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 619 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x76f392db", "parentcaller": "0x76f39742", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\PROPSYS.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 620 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x76f392db", "parentcaller": "0x76f39742", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000035c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\sysnative\\en-US\\PROPSYS.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 621 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x76f3978c", "parentcaller": "0x76f3926e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000360" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000035c" }, { "name": "FileName", "value": "C:\\Windows\\sysnative\\en-US\\propsys.dll.mui" } ], "repeated": 0, "id": 622 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x76f397b4", "parentcaller": "0x76f3926e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04fe0000" }, { "name": "SectionOffset", "value": "0x04ecdf58" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 623 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x76f397c4", "parentcaller": "0x76f3926e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 624 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b8fb07", "parentcaller": "0x7484ffd7", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000360" }, { "name": "MutexName", "value": "Local\\SM0:3236:168:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 625 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x748501d2", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 626 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 627 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000364" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 628 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7480d42e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000364" } ], "repeated": 0, "id": 629 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b94290", "parentcaller": "0x748501b1", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 1, "id": 630 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 631 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 632 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "ValueName", "value": "DontShowSuperHidden" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden" } ], "repeated": 0, "id": 633 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000364" } ], "repeated": 0, "id": 634 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 635 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 636 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "ValueName", "value": "DontShowSuperHidden" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden" } ], "repeated": 0, "id": 637 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000364" } ], "repeated": 0, "id": 638 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 639 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" } ], "repeated": 0, "id": 640 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" } ], "repeated": 0, "id": 641 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ShellState" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState" } ], "repeated": 0, "id": 642 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ShellState" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "$\\x00\\x00\\x004(\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState" } ], "repeated": 0, "id": 643 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74834986", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 644 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 645 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 646 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "NoWebView" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView" } ], "repeated": 0, "id": 647 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 648 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 649 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 650 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "NoWebView" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView" } ], "repeated": 0, "id": 651 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 652 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 653 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 654 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ClassicShell" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell" } ], "repeated": 0, "id": 655 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 656 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 657 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 658 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ClassicShell" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell" } ], "repeated": 0, "id": 659 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 660 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 661 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 662 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "SeparateProcess" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess" } ], "repeated": 0, "id": 663 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 664 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 665 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 666 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "SeparateProcess" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess" } ], "repeated": 0, "id": 667 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 668 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 669 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 670 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "NoNetCrawling" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling" } ], "repeated": 0, "id": 671 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 672 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 673 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 674 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "NoNetCrawling" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling" } ], "repeated": 0, "id": 675 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 676 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "Advanced" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" } ], "repeated": 0, "id": 677 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Hidden" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" } ], "repeated": 0, "id": 678 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ShowCompColor" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor" } ], "repeated": 0, "id": 679 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "HideFileExt" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt" } ], "repeated": 0, "id": 680 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "DontPrettyPath" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath" } ], "repeated": 0, "id": 681 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ShowInfoTip" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip" } ], "repeated": 0, "id": 682 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "HideIcons" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons" } ], "repeated": 0, "id": 683 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "MapNetDrvBtn" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn" } ], "repeated": 0, "id": 684 }, { "timestamp": "2026-06-29 22:15:01,250", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "WebView" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView" } ], "repeated": 0, "id": 685 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Filter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter" } ], "repeated": 0, "id": 686 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ShowSuperHidden" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" } ], "repeated": 0, "id": 687 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "SeparateProcess" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess" } ], "repeated": 0, "id": 688 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "NoNetCrawling" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling" } ], "repeated": 0, "id": 689 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "AutoCheckSelect" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect" } ], "repeated": 0, "id": 690 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "IconsOnly" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly" } ], "repeated": 0, "id": 691 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ShowTypeOverlay" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay" } ], "repeated": 0, "id": 692 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ShowStatusBar" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowStatusBar" } ], "repeated": 0, "id": 693 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74834eae", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 694 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x7481708d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000368" } ], "repeated": 0, "id": 695 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x7481715c", "parentcaller": "0x748170b0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 696 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x748170ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 697 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 698 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 699 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 700 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": ".exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 701 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 702 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 703 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 704 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xee\\xe4\\xed\\xd8\\xedj\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf0\\xec\\x04\\xbc^\\xb8uj\\x03\\x00\\x00" } ], "repeated": 0, "id": 705 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 706 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "exefile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\(Default)" } ], "repeated": 0, "id": 707 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 708 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 709 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 710 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 711 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 712 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 713 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 714 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xeed\\xeeX\\xeen\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\xf1\\xec\\x04\\xbc^\\xb8un\\x03\\x00\\x00" } ], "repeated": 0, "id": 715 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\CurVer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\CurVer" } ], "repeated": 0, "id": 716 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000036e" }, { "name": "ObjectAttributesName", "value": "CurVer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\CurVer" } ], "repeated": 0, "id": 717 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 718 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 719 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb8\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00D\\xef\\xf4\\xee\\xe8\\xeen\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x90\\xf1\\xec\\x04\\xbc^\\xb8un\\x03\\x00\\x00" } ], "repeated": 0, "id": 720 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 721 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000036e" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\" } ], "repeated": 0, "id": 722 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748175e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" } ], "repeated": 0, "id": 723 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 724 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 725 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xeft\\xefh\\xefr\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\xf2\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 726 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\ShellEx\\IconHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\ShellEx\\IconHandler" } ], "repeated": 0, "id": 727 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000372" }, { "name": "ObjectAttributesName", "value": "ShellEx\\IconHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\ShellEx\\IconHandler" } ], "repeated": 0, "id": 728 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 729 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 730 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 731 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 732 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 733 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 734 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 735 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xeft\\xefh\\xefn\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\xf2\\xec\\x04\\xbc^\\xb8un\\x03\\x00\\x00" } ], "repeated": 0, "id": 736 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe\\ShellEx\\IconHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\IconHandler" } ], "repeated": 0, "id": 737 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000036e" }, { "name": "ObjectAttributesName", "value": "ShellEx\\IconHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\IconHandler" } ], "repeated": 0, "id": 738 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 739 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 740 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xf0,\\xf0 \\xf0r\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xf2\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 741 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 742 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "DocObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\DocObject" } ], "repeated": 0, "id": 743 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 744 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 745 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xf0\\xa4\\xf0\\x98\\xf0r\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00@\\xf3\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 746 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\DocObject" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\DocObject" } ], "repeated": 0, "id": 747 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000372" }, { "name": "ObjectAttributesName", "value": "DocObject" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\DocObject" } ], "repeated": 0, "id": 748 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 749 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 750 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xf0,\\xf0 \\xf0n\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xf2\\xec\\x04\\xbc^\\xb8un\\x03\\x00\\x00" } ], "repeated": 0, "id": 751 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 752 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "ValueName", "value": "DocObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\DocObject" } ], "repeated": 0, "id": 753 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 754 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 755 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xf0\\xa4\\xf0\\x98\\xf0n\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00@\\xf3\\xec\\x04\\xbc^\\xb8un\\x03\\x00\\x00" } ], "repeated": 0, "id": 756 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe\\DocObject" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\DocObject" } ], "repeated": 0, "id": 757 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000036e" }, { "name": "ObjectAttributesName", "value": "DocObject" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\DocObject" } ], "repeated": 0, "id": 758 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 759 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 760 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xf0,\\xf0 \\xf0r\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xf2\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 761 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 762 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "BrowseInPlace" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\BrowseInPlace" } ], "repeated": 0, "id": 763 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 764 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 765 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xf0\\xa4\\xf0\\x98\\xf0r\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00@\\xf3\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 766 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\BrowseInPlace" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\BrowseInPlace" } ], "repeated": 0, "id": 767 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000372" }, { "name": "ObjectAttributesName", "value": "BrowseInPlace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\BrowseInPlace" } ], "repeated": 0, "id": 768 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 769 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 770 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xf0,\\xf0 \\xf0n\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xf2\\xec\\x04\\xbc^\\xb8un\\x03\\x00\\x00" } ], "repeated": 0, "id": 771 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 772 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "ValueName", "value": "BrowseInPlace" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace" } ], "repeated": 0, "id": 773 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 774 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 775 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xf0\\xa4\\xf0\\x98\\xf0n\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00@\\xf3\\xec\\x04\\xbc^\\xb8un\\x03\\x00\\x00" } ], "repeated": 0, "id": 776 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe\\BrowseInPlace" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace" } ], "repeated": 0, "id": 777 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000036e" }, { "name": "ObjectAttributesName", "value": "BrowseInPlace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace" } ], "repeated": 0, "id": 778 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 779 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 780 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xe4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xe4\\xa4\\xe4\\x98\\xe4j\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xe7\\xec\\x04\\xbc^\\xb8uj\\x03\\x00\\x00" } ], "repeated": 0, "id": 781 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 782 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "ValueName", "value": "Content Type" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "application/x-msdownload" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type" } ], "repeated": 0, "id": 783 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 784 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 785 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xe3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xe4\\xfc\\xe3\\xf0\\xe3r\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x98\\xe6\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 786 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Clsid" } ], "repeated": 0, "id": 787 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000372" }, { "name": "ObjectAttributesName", "value": "Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Clsid" } ], "repeated": 0, "id": 788 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 789 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 790 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xe4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xe4\\\\xe4P\\xe4n\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xf8\\xe6\\xec\\x04\\xbc^\\xb8un\\x03\\x00\\x00" } ], "repeated": 0, "id": 791 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe\\Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\Clsid" } ], "repeated": 0, "id": 792 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000036e" }, { "name": "ObjectAttributesName", "value": "Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\Clsid" } ], "repeated": 0, "id": 793 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 794 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 795 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xf0,\\xf0 \\xf0r\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xf2\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 796 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 797 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "IsShortcut" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\IsShortcut" } ], "repeated": 0, "id": 798 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 799 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 800 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xf0,\\xf0 \\xf0n\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xf2\\xec\\x04\\xbc^\\xb8un\\x03\\x00\\x00" } ], "repeated": 0, "id": 801 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 802 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "ValueName", "value": "IsShortcut" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\IsShortcut" } ], "repeated": 0, "id": 803 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 804 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 805 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xf0,\\xf0 \\xf0r\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xf2\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 806 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 807 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "AlwaysShowExt" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\AlwaysShowExt" } ], "repeated": 0, "id": 808 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 809 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 810 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xf0,\\xf0 \\xf0n\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xf2\\xec\\x04\\xbc^\\xb8un\\x03\\x00\\x00" } ], "repeated": 0, "id": 811 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 812 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "ValueName", "value": "AlwaysShowExt" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\AlwaysShowExt" } ], "repeated": 0, "id": 813 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 814 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 815 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xf0,\\xf0 \\xf0r\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xf2\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 816 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 817 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "NeverShowExt" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\NeverShowExt" } ], "repeated": 0, "id": 818 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 819 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 820 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xf0,\\xf0 \\xf0n\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xf2\\xec\\x04\\xbc^\\xb8un\\x03\\x00\\x00" } ], "repeated": 0, "id": 821 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 822 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "ValueName", "value": "NeverShowExt" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\NeverShowExt" } ], "repeated": 0, "id": 823 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036a" } ], "repeated": 0, "id": 824 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 825 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" } ], "repeated": 0, "id": 826 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 827 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 828 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000036c" }, { "name": "ObjectAttributesName", "value": "{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" } ], "repeated": 0, "id": 829 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036c" } ], "repeated": 0, "id": 830 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Category" } ], "repeated": 0, "id": 831 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Desktop" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Name" } ], "repeated": 0, "id": 832 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParentFolder" } ], "repeated": 0, "id": 833 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Description" } ], "repeated": 0, "id": 834 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Desktop" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\RelativePath" } ], "repeated": 0, "id": 835 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParsingName" } ], "repeated": 0, "id": 836 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InfoTip" } ], "repeated": 0, "id": 837 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21769" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalizedName" } ], "repeated": 0, "id": 838 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-183" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Icon" } ], "repeated": 0, "id": 839 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Security" } ], "repeated": 0, "id": 840 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResource" } ], "repeated": 0, "id": 841 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResourceType" } ], "repeated": 0, "id": 842 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalRedirectOnly" } ], "repeated": 0, "id": 843 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Roamable" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Roamable" } ], "repeated": 0, "id": 844 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PreCreate" } ], "repeated": 0, "id": 845 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Stream" } ], "repeated": 0, "id": 846 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PublishExpandedPath" } ], "repeated": 0, "id": 847 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\DefinitionFlags" } ], "repeated": 0, "id": 848 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Attributes" } ], "repeated": 0, "id": 849 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\FolderTypeID" } ], "repeated": 0, "id": 850 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InitFolderHandler" } ], "repeated": 0, "id": 851 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PropertyBag" } ], "repeated": 0, "id": 852 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 853 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000370" } ], "repeated": 0, "id": 854 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 855 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 856 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 857 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\xf5\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 858 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 859 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000368" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 860 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 861 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa4\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff$\\xf4\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0stH\\xf4\\xec\\x04D\\xf4\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 862 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 863 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000374" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000368" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 864 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 865 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000374" }, { "name": "ValueName", "value": "Desktop" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%USERPROFILE%\\Desktop" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop" } ], "repeated": 0, "id": 866 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 867 }, { "timestamp": "2026-06-29 22:15:01,265", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000374" } ], "repeated": 0, "id": 868 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75c63000" }, { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 869 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75c63000" }, { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 870 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000374" } ], "repeated": 0, "id": 871 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 872 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000374" } ], "repeated": 0, "id": 873 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 874 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 875 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 876 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 877 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000374" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 878 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 879 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 880 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xcd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xcd\\x9c\\xcd\\x90\\xcdv\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xd0\\xec\\x04\\xbc^\\xb8uv\\x03\\x00\\x00" } ], "repeated": 0, "id": 881 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 882 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\windows.storage.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 883 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" } ], "repeated": 0, "id": 884 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 885 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x747e8363", "parentcaller": "0x74838450", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1F486A52-3CB1-48FD-8F50-B8DC300D9F9D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ECF31D61-E474-453C-BEE7-DE68E441C6D0" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 886 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7412e548", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 1, "id": 887 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*Rajesh*AppData*Local*Microsoft*Windows*Caches*cversions.1" } ], "repeated": 0, "id": 888 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*Rajesh*AppData*Local*Microsoft*Windows*Caches*cversions.1.ro" } ], "repeated": 0, "id": 889 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7412e548", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 890 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x74130337", "parentcaller": "0x7412e3dc", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\Caches" } ], "repeated": 0, "id": 891 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 892 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 893 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x7412feba", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000374" } ], "repeated": 0, "id": 894 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x7412fed8", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 895 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x7412ff1a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\x96i\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 896 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7412ff3f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000374" } ], "repeated": 0, "id": 897 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75baacf0", "parentcaller": "0x74130249", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000374" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\Caches" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 898 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75baad3d", "parentcaller": "0x74130249", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000374" } ], "repeated": 0, "id": 899 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75baacf0", "parentcaller": "0x7413027e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000374" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\Caches" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 900 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75baad3d", "parentcaller": "0x7413027e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000374" } ], "repeated": 0, "id": 901 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x7413029c", "category": "process", "api": "NtOpenProcessToken", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x000f01ff" }, { "name": "TokenHandle", "value": "0x00000000" } ], "repeated": 0, "id": 902 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000374" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 903 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x7412feba", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000370" } ], "repeated": 0, "id": 904 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x7412fed8", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 905 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x7412ff1a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\x98i\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 906 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7412ff3f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 907 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8f828", "parentcaller": "0x75b8f48e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*Rajesh*AppData*Local*Microsoft*Windows*Caches*cversions.1.ro" }, { "name": "FileHandle", "value": "0x00000374" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" } ], "repeated": 0, "id": 908 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7412e046", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000374" } ], "repeated": 0, "id": 909 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9da9b", "parentcaller": "0x7412e063", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000370" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04ff0000" }, { "name": "SectionOffset", "value": "0x04eccc4c" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 910 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*Rajesh*AppData*Local*Microsoft*Windows*Caches*{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db" } ], "repeated": 0, "id": 911 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000374" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 912 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9f14d", "parentcaller": "0x7412fc7d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000374" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x02\\x00\\x00\\x00\\x00\\x00\\x10p\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 913 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x7412feba", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000368" } ], "repeated": 0, "id": 914 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x7412fed8", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 915 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x7412ff1a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\x97i\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 916 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7412ff3f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 917 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8f828", "parentcaller": "0x75b8f48e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*Rajesh*AppData*Local*Microsoft*Windows*Caches*{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db" }, { "name": "FileHandle", "value": "0x00000374" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db" } ], "repeated": 0, "id": 918 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7412fca1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000374" } ], "repeated": 0, "id": 919 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9da9b", "parentcaller": "0x74122e49", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000368" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05000000" }, { "name": "SectionOffset", "value": "0x04ecdaf4" }, { "name": "ViewSize", "value": "0x00028000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 920 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x748104e7", "parentcaller": "0x747e84a6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 921 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x755f8c69", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000374" }, { "name": "DesiredAccess", "value": "0x00000006" }, { "name": "ObjectAttributes", "value": "Global\\windows_shell_global_counters" } ], "repeated": 0, "id": 922 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9da9b", "parentcaller": "0x755f8b17", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000374" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05030000" }, { "name": "SectionOffset", "value": "0x04ecdb18" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 923 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x748104e7", "parentcaller": "0x747e84a6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 4, "id": 924 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x74130107", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 925 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7412e548", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 926 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x741301d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 927 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9f5a5", "parentcaller": "0x741301e1", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04ff0000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 928 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f0bb", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 929 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 930 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 931 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 932 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75baa9ec", "parentcaller": "0x7480f158", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000370" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Desktop\\desktop.ini" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": " \\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 933 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b90e6c", "parentcaller": "0x7480f1a1", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000370" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Desktop\\desktop.ini" }, { "name": "Buffer", "value": "\\xff\\xfe\r\\x00\n\\x00[\\x00.\\x00S\\x00h\\x00e\\x00l\\x00l\\x00C\\x00l\\x00a\\x00s\\x00s\\x00I\\x00n\\x00f\\x00o\\x00]\\x00\r\\x00\n\\x00L\\x00o\\x00c\\x00a\\x00l\\x00i\\x00z\\x00e\\x00d\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00N\\x00a\\x00m\\x00e\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x002\\x001\\x007\\x006\\x009\\x00\r\\x00\n\\x00I\\x00c\\x00o\\x00n\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00=\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00i\\x00m\\x00a\\x00g\\x00e\\x00r\\x00" }, { "name": "Length", "value": "282" } ], "repeated": 0, "id": 934 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x7480f1f4", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000370" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Desktop\\desktop.ini" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "E\\x90\\xf7\\xf7v\\x07\\xdd\\x01\\x1c\\xc3I\\xf2|\\x07\\xdd\\x01E\\x90\\xf7\\xf7v\\x07\\xdd\\x01E\\x90\\xf7\\xf7v\\x07\\xdd\\x01&\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 935 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7480f20b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 936 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x7480f215", "parentcaller": "0x7480f05c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 937 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f254", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 938 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 939 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 940 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 941 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings" } ], "repeated": 0, "id": 942 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 943 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings" } ], "repeated": 0, "id": 944 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c18d3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 945 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x7481708d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000370" } ], "repeated": 0, "id": 946 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x7481715c", "parentcaller": "0x748170b0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 947 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x748170ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 948 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 949 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 950 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 951 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "Directory" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory" } ], "repeated": 0, "id": 952 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Directory" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory" } ], "repeated": 0, "id": 953 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 954 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 955 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x08\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x94\\xeaD\\xea8\\xear\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0\\xec\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 956 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Directory\\ShellEx\\IconHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\ShellEx\\IconHandler" } ], "repeated": 0, "id": 957 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000372" }, { "name": "ObjectAttributesName", "value": "ShellEx\\IconHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\IconHandler" } ], "repeated": 0, "id": 958 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 959 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 960 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 961 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "Folder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Folder" } ], "repeated": 0, "id": 962 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Folder" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Folder" } ], "repeated": 0, "id": 963 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Folder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 964 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 965 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x08\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x94\\xeaD\\xea8\\xeaj\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0\\xec\\xec\\x04\\xbc^\\xb8uj\\x03\\x00\\x00" } ], "repeated": 0, "id": 966 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Folder\\ShellEx\\IconHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Folder\\ShellEx\\IconHandler" } ], "repeated": 0, "id": 967 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000036a" }, { "name": "ObjectAttributesName", "value": "ShellEx\\IconHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\IconHandler" } ], "repeated": 0, "id": 968 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 969 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 970 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 971 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 972 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 973 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 974 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 975 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x08\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x94\\xeaD\\xea8\\xea~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0\\xec\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 976 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\ShellEx\\IconHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\ShellEx\\IconHandler" } ], "repeated": 0, "id": 977 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000037e" }, { "name": "ObjectAttributesName", "value": "ShellEx\\IconHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\IconHandler" } ], "repeated": 0, "id": 978 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 979 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 980 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xeb\\x04\\xeb\\xf8\\xear\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xed\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 981 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Directory" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory" } ], "repeated": 0, "id": 982 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "DocObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject" } ], "repeated": 0, "id": 983 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 984 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 985 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xeb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xcc\\xeb|\\xebp\\xebr\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x18\\xee\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 986 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Directory\\DocObject" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\DocObject" } ], "repeated": 0, "id": 987 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000372" }, { "name": "ObjectAttributesName", "value": "DocObject" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject" } ], "repeated": 0, "id": 988 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Folder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 989 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 990 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xeb\\x04\\xeb\\xf8\\xeaj\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xed\\xec\\x04\\xbc^\\xb8uj\\x03\\x00\\x00" } ], "repeated": 0, "id": 991 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Folder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Folder" } ], "repeated": 0, "id": 992 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "ValueName", "value": "DocObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject" } ], "repeated": 0, "id": 993 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Folder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 994 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 995 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xeb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xcc\\xeb|\\xebp\\xebj\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x18\\xee\\xec\\x04\\xbc^\\xb8uj\\x03\\x00\\x00" } ], "repeated": 0, "id": 996 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Folder\\DocObject" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Folder\\DocObject" } ], "repeated": 0, "id": 997 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000036a" }, { "name": "ObjectAttributesName", "value": "DocObject" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject" } ], "repeated": 0, "id": 998 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 999 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1000 }, { "timestamp": "2026-06-29 22:15:01,281", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xeb\\x04\\xeb\\xf8\\xea~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xed\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 1001 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 1002 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "ValueName", "value": "DocObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject" } ], "repeated": 0, "id": 1003 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1004 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1005 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xeb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xcc\\xeb|\\xebp\\xeb~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x18\\xee\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 1006 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\DocObject" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\DocObject" } ], "repeated": 0, "id": 1007 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000037e" }, { "name": "ObjectAttributesName", "value": "DocObject" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject" } ], "repeated": 0, "id": 1008 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1009 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1010 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xeb\\x04\\xeb\\xf8\\xear\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xed\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 1011 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Directory" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory" } ], "repeated": 0, "id": 1012 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "BrowseInPlace" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace" } ], "repeated": 0, "id": 1013 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1014 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1015 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xeb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xcc\\xeb|\\xebp\\xebr\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x18\\xee\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 1016 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Directory\\BrowseInPlace" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\BrowseInPlace" } ], "repeated": 0, "id": 1017 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000372" }, { "name": "ObjectAttributesName", "value": "BrowseInPlace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace" } ], "repeated": 0, "id": 1018 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Folder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1019 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1020 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xeb\\x04\\xeb\\xf8\\xeaj\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xed\\xec\\x04\\xbc^\\xb8uj\\x03\\x00\\x00" } ], "repeated": 0, "id": 1021 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Folder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Folder" } ], "repeated": 0, "id": 1022 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "ValueName", "value": "BrowseInPlace" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace" } ], "repeated": 0, "id": 1023 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Folder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1024 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1025 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xeb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xcc\\xeb|\\xebp\\xebj\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x18\\xee\\xec\\x04\\xbc^\\xb8uj\\x03\\x00\\x00" } ], "repeated": 0, "id": 1026 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Folder\\BrowseInPlace" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Folder\\BrowseInPlace" } ], "repeated": 0, "id": 1027 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000036a" }, { "name": "ObjectAttributesName", "value": "BrowseInPlace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace" } ], "repeated": 0, "id": 1028 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1029 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1030 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xeb\\x04\\xeb\\xf8\\xea~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xed\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 1031 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 1032 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "ValueName", "value": "BrowseInPlace" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace" } ], "repeated": 0, "id": 1033 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1034 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1035 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xeb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xcc\\xeb|\\xebp\\xeb~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x18\\xee\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 1036 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\BrowseInPlace" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\BrowseInPlace" } ], "repeated": 0, "id": 1037 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000037e" }, { "name": "ObjectAttributesName", "value": "BrowseInPlace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace" } ], "repeated": 0, "id": 1038 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1039 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1040 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x98\\xde\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00$\\xdf\\xd4\\xde\\xc8\\xder\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\xe1\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 1041 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Directory\\Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\Clsid" } ], "repeated": 0, "id": 1042 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000372" }, { "name": "ObjectAttributesName", "value": "Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\Clsid" } ], "repeated": 0, "id": 1043 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Folder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1044 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1045 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8\\xde\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x84\\xdf4\\xdf(\\xdfj\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xe1\\xec\\x04\\xbc^\\xb8uj\\x03\\x00\\x00" } ], "repeated": 0, "id": 1046 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Folder\\Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Folder\\Clsid" } ], "repeated": 0, "id": 1047 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000036a" }, { "name": "ObjectAttributesName", "value": "Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\Clsid" } ], "repeated": 0, "id": 1048 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1049 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1050 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8\\xde\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x84\\xdf4\\xdf(\\xdf~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xe1\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 1051 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\Clsid" } ], "repeated": 0, "id": 1052 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000037e" }, { "name": "ObjectAttributesName", "value": "Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\Clsid" } ], "repeated": 0, "id": 1053 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1054 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1055 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xeb\\x04\\xeb\\xf8\\xear\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xed\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 1056 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Directory" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory" } ], "repeated": 0, "id": 1057 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "IsShortcut" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\IsShortcut" } ], "repeated": 0, "id": 1058 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Folder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1059 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1060 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xeb\\x04\\xeb\\xf8\\xeaj\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xed\\xec\\x04\\xbc^\\xb8uj\\x03\\x00\\x00" } ], "repeated": 0, "id": 1061 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Folder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Folder" } ], "repeated": 0, "id": 1062 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "ValueName", "value": "IsShortcut" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut" } ], "repeated": 0, "id": 1063 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1064 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1065 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xeb\\x04\\xeb\\xf8\\xea~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xed\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 1066 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 1067 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "ValueName", "value": "IsShortcut" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut" } ], "repeated": 0, "id": 1068 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1069 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1070 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xeb\\x04\\xeb\\xf8\\xear\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xed\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 1071 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Directory" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory" } ], "repeated": 0, "id": 1072 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "AlwaysShowExt" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\AlwaysShowExt" } ], "repeated": 0, "id": 1073 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1074 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1075 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xeb\\x04\\xeb\\xf8\\xear\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xed\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 1076 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Directory" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory" } ], "repeated": 0, "id": 1077 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "NeverShowExt" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\NeverShowExt" } ], "repeated": 0, "id": 1078 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Folder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1079 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1080 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xeb\\x04\\xeb\\xf8\\xeaj\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xed\\xec\\x04\\xbc^\\xb8uj\\x03\\x00\\x00" } ], "repeated": 0, "id": 1081 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Folder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Folder" } ], "repeated": 0, "id": 1082 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000036a" }, { "name": "ValueName", "value": "NeverShowExt" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt" } ], "repeated": 0, "id": 1083 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1084 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1085 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xeb\\x04\\xeb\\xf8\\xea~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xed\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 1086 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 1087 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "ValueName", "value": "NeverShowExt" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt" } ], "repeated": 0, "id": 1088 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 1089 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036a" } ], "repeated": 0, "id": 1090 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037e" } ], "repeated": 0, "id": 1091 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1092 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1093 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000037c" }, { "name": "ObjectAttributesName", "value": "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" } ], "repeated": 0, "id": 1094 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 1095 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Category" } ], "repeated": 0, "id": 1096 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Libraries" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Name" } ], "repeated": 0, "id": 1097 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParentFolder" } ], "repeated": 0, "id": 1098 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Description" } ], "repeated": 0, "id": 1099 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\Libraries" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\RelativePath" } ], "repeated": 0, "id": 1100 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParsingName" } ], "repeated": 0, "id": 1101 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InfoTip" } ], "repeated": 0, "id": 1102 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalizedName" } ], "repeated": 0, "id": 1103 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Icon" } ], "repeated": 0, "id": 1104 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Security" } ], "repeated": 0, "id": 1105 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResource" } ], "repeated": 0, "id": 1106 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResourceType" } ], "repeated": 0, "id": 1107 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalRedirectOnly" } ], "repeated": 0, "id": 1108 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Roamable" } ], "repeated": 0, "id": 1109 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PreCreate" } ], "repeated": 0, "id": 1110 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Stream" } ], "repeated": 0, "id": 1111 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PublishExpandedPath" } ], "repeated": 0, "id": 1112 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\DefinitionFlags" } ], "repeated": 0, "id": 1113 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Attributes" } ], "repeated": 0, "id": 1114 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\FolderTypeID" } ], "repeated": 0, "id": 1115 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InitFolderHandler" } ], "repeated": 0, "id": 1116 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000368" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PropertyBag" } ], "repeated": 0, "id": 1117 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 1118 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000368" } ], "repeated": 0, "id": 1119 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1120 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\xf5\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1121 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 1122 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000037c" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 1123 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 1124 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa4\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff$\\xf4\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0stH\\xf4\\xec\\x04D\\xf4\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 1125 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1126 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000037c" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 1127 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 1128 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" } ], "repeated": 0, "id": 1129 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1130 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1131 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000037c" }, { "name": "ObjectAttributesName", "value": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" } ], "repeated": 0, "id": 1132 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 1133 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Category" } ], "repeated": 0, "id": 1134 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "AppData" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Name" } ], "repeated": 0, "id": 1135 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParentFolder" } ], "repeated": 0, "id": 1136 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Description" } ], "repeated": 0, "id": 1137 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "AppData\\Roaming" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\RelativePath" } ], "repeated": 0, "id": 1138 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParsingName" } ], "repeated": 0, "id": 1139 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InfoTip" } ], "repeated": 0, "id": 1140 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalizedName" } ], "repeated": 0, "id": 1141 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Icon" } ], "repeated": 0, "id": 1142 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Security" } ], "repeated": 0, "id": 1143 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResource" } ], "repeated": 0, "id": 1144 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResourceType" } ], "repeated": 0, "id": 1145 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalRedirectOnly" } ], "repeated": 0, "id": 1146 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Roamable" } ], "repeated": 0, "id": 1147 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PreCreate" } ], "repeated": 0, "id": 1148 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Stream" } ], "repeated": 0, "id": 1149 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PublishExpandedPath" } ], "repeated": 0, "id": 1150 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\DefinitionFlags" } ], "repeated": 0, "id": 1151 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Attributes" } ], "repeated": 0, "id": 1152 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\FolderTypeID" } ], "repeated": 0, "id": 1153 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InitFolderHandler" } ], "repeated": 0, "id": 1154 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000380" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PropertyBag" } ], "repeated": 0, "id": 1155 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 1156 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 1157 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000380" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 1158 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 1159 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "AppData" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%USERPROFILE%\\AppData\\Roaming" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData" } ], "repeated": 0, "id": 1160 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 1161 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1162 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c18d3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1163 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1164 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1165 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "{F42EE2D3-909F-4907-8871-4C22FC0BF756}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F42EE2D3-909F-4907-8871-4C22FC0BF756}" } ], "repeated": 0, "id": 1166 }, { "timestamp": "2026-06-29 22:15:01,297", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1167 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Category" } ], "repeated": 0, "id": 1168 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Local Documents" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Name" } ], "repeated": 0, "id": 1169 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\ParentFolder" } ], "repeated": 0, "id": 1170 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Description" } ], "repeated": 0, "id": 1171 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Documents" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\RelativePath" } ], "repeated": 0, "id": 1172 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\ParsingName" } ], "repeated": 0, "id": 1173 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{d3162b92-9365-467a-956b-92703aca08af}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\ParsingName" } ], "repeated": 0, "id": 1174 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\InfoTip" } ], "repeated": 0, "id": 1175 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21770" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\LocalizedName" } ], "repeated": 0, "id": 1176 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-112" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Icon" } ], "repeated": 0, "id": 1177 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Security" } ], "repeated": 0, "id": 1178 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\StreamResource" } ], "repeated": 0, "id": 1179 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\StreamResourceType" } ], "repeated": 0, "id": 1180 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\LocalRedirectOnly" } ], "repeated": 0, "id": 1181 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Roamable" } ], "repeated": 0, "id": 1182 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PreCreate" } ], "repeated": 0, "id": 1183 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Stream" } ], "repeated": 0, "id": 1184 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PublishExpandedPath" } ], "repeated": 0, "id": 1185 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\DefinitionFlags" } ], "repeated": 0, "id": 1186 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Attributes" } ], "repeated": 0, "id": 1187 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\FolderTypeID" } ], "repeated": 0, "id": 1188 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\InitFolderHandler" } ], "repeated": 0, "id": 1189 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000378" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000368" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PropertyBag" } ], "repeated": 0, "id": 1190 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 1191 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000368" } ], "repeated": 0, "id": 1192 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1193 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\xf5\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1194 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 1195 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 1196 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1197 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa4\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff$\\xf4\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0stH\\xf4\\xec\\x04D\\xf4\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 1198 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1199 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 1200 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1201 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "{F42EE2D3-909F-4907-8871-4C22FC0BF756}" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{F42EE2D3-909F-4907-8871-4C22FC0BF756}" } ], "repeated": 0, "id": 1202 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1203 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1204 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "{5E6C858F-0E22-4760-9AFE-EA3317B67173}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}" } ], "repeated": 0, "id": 1205 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1206 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category" } ], "repeated": 0, "id": 1207 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Profile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name" } ], "repeated": 0, "id": 1208 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder" } ], "repeated": 0, "id": 1209 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description" } ], "repeated": 0, "id": 1210 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath" } ], "repeated": 0, "id": 1211 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName" } ], "repeated": 0, "id": 1212 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip" } ], "repeated": 0, "id": 1213 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName" } ], "repeated": 0, "id": 1214 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon" } ], "repeated": 0, "id": 1215 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security" } ], "repeated": 0, "id": 1216 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource" } ], "repeated": 0, "id": 1217 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType" } ], "repeated": 0, "id": 1218 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly" } ], "repeated": 0, "id": 1219 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable" } ], "repeated": 0, "id": 1220 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate" } ], "repeated": 0, "id": 1221 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream" } ], "repeated": 0, "id": 1222 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath" } ], "repeated": 0, "id": 1223 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\DefinitionFlags" } ], "repeated": 0, "id": 1224 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes" } ], "repeated": 0, "id": 1225 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID" } ], "repeated": 0, "id": 1226 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler" } ], "repeated": 0, "id": 1227 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000037c" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PropertyBag" } ], "repeated": 0, "id": 1228 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 1229 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747ba61c", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000037c" } ], "repeated": 0, "id": 1230 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747ba7ad", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0$g\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1231 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1232 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1233 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "profapi.dll" } ], "repeated": 0, "id": 1234 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\profapi.dll" } ], "repeated": 0, "id": 1235 }, { "timestamp": "2026-06-29 22:15:01,312", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\profapi.dll" } ], "repeated": 0, "id": 1236 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e32b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\profapi.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1237 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e32b", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000388" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000384" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\profapi.dll" } ], "repeated": 0, "id": 1238 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000388" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x740d0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1239 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x76f4ffdf", "parentcaller": "0x76f50764", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x740e5000" }, { "name": "ModuleName", "value": "profapi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1240 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1241 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1242 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x740e3000" }, { "name": "ModuleName", "value": "profapi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1243 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000388" } ], "repeated": 0, "id": 1244 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 1245 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x740e3000" }, { "name": "ModuleName", "value": "profapi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1246 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1247 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 1248 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1249 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\profapi.dll" } ], "repeated": 0, "id": 1250 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\profapi.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1251 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 1252 }, { "timestamp": "2026-06-29 22:15:01,328", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\profapi" }, { "name": "DllBase", "value": "0x740d0000" } ], "repeated": 0, "id": 1253 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x76f4dd42", "parentcaller": "0x76f51843", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\profapi" }, { "name": "BaseAddress", "value": "0x740d0000" }, { "name": "InitRoutine", "value": "0x740da250" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1254 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1255 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1256 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1257 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 1258 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 1259 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "C:\\Users\\Rajesh" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 1260 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x740d8463", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1261 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747ba66b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 1262 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 1263 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 1264 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000380" } ], "repeated": 0, "id": 1265 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 1266 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 1267 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1268 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1269 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1270 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 1271 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 1272 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000382" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1273 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000382" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1274 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xcd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xcd\\x9c\\xcd\\x90\\xcd\\x82\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xd0\\xec\\x04\\xbc^\\xb8u\\x82\\x03\\x00\\x00" } ], "repeated": 0, "id": 1275 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 1276 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000382" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\windows.storage.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1277 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000382" } ], "repeated": 0, "id": 1278 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 1279 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f0bb", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 1280 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 1281 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1282 }, { "timestamp": "2026-06-29 22:15:01,343", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\Documents\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1283 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75baa9ec", "parentcaller": "0x7480f158", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000380" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Documents\\desktop.ini" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x98\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1284 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b90e6c", "parentcaller": "0x7480f1a1", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000380" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Documents\\desktop.ini" }, { "name": "Buffer", "value": "\\xff\\xfe\r\\x00\n\\x00[\\x00.\\x00S\\x00h\\x00e\\x00l\\x00l\\x00C\\x00l\\x00a\\x00s\\x00s\\x00I\\x00n\\x00f\\x00o\\x00]\\x00\r\\x00\n\\x00L\\x00o\\x00c\\x00a\\x00l\\x00i\\x00z\\x00e\\x00d\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00N\\x00a\\x00m\\x00e\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x002\\x001\\x007\\x007\\x000\\x00\r\\x00\n\\x00I\\x00c\\x00o\\x00n\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00=\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00i\\x00m\\x00a\\x00g\\x00e\\x00r\\x00" }, { "name": "Length", "value": "402" } ], "repeated": 0, "id": 1285 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x7480f1f4", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000380" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Documents\\desktop.ini" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "\\x10\\xd1\\xfe\\xf7v\\x07\\xdd\\x01\\xf2\\xf3\\xcf\\xf8|\\x07\\xdd\\x016\\x8f\\x16\\xf8v\\x07\\xdd\\x016\\x8f\\x16\\xf8v\\x07\\xdd\\x01&\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1286 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7480f20b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 1287 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x7480f215", "parentcaller": "0x7480f05c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1288 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f254", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 1289 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 1290 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1291 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c18d3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1292 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1293 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1294 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000380" }, { "name": "ObjectAttributesName", "value": "{A0C69A99-21C8-4671-8703-7934162FCF1D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A0C69A99-21C8-4671-8703-7934162FCF1D}" } ], "repeated": 0, "id": 1295 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 1296 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Category" } ], "repeated": 0, "id": 1297 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Local Music" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Name" } ], "repeated": 0, "id": 1298 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\ParentFolder" } ], "repeated": 0, "id": 1299 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Description" } ], "repeated": 0, "id": 1300 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Music" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\RelativePath" } ], "repeated": 0, "id": 1301 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\ParsingName" } ], "repeated": 0, "id": 1302 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\ParsingName" } ], "repeated": 0, "id": 1303 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-12689" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\InfoTip" } ], "repeated": 0, "id": 1304 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21790" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\LocalizedName" } ], "repeated": 0, "id": 1305 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-108" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Icon" } ], "repeated": 0, "id": 1306 }, { "timestamp": "2026-06-29 22:15:01,359", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Security" } ], "repeated": 0, "id": 1307 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\StreamResource" } ], "repeated": 0, "id": 1308 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\StreamResourceType" } ], "repeated": 0, "id": 1309 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\LocalRedirectOnly" } ], "repeated": 0, "id": 1310 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Roamable" } ], "repeated": 0, "id": 1311 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PreCreate" } ], "repeated": 0, "id": 1312 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Stream" } ], "repeated": 0, "id": 1313 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PublishExpandedPath" } ], "repeated": 0, "id": 1314 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\DefinitionFlags" } ], "repeated": 0, "id": 1315 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Attributes" } ], "repeated": 0, "id": 1316 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\FolderTypeID" } ], "repeated": 0, "id": 1317 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\InitFolderHandler" } ], "repeated": 0, "id": 1318 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000384" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PropertyBag" } ], "repeated": 0, "id": 1319 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 1320 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000384" } ], "repeated": 0, "id": 1321 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1322 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\xf5\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1323 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 1324 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000037c" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 1325 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 1326 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa4\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff$\\xf4\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0stH\\xf4\\xec\\x04D\\xf4\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 1327 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1328 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000037c" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 1329 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 1330 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "{A0C69A99-21C8-4671-8703-7934162FCF1D}" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{A0C69A99-21C8-4671-8703-7934162FCF1D}" } ], "repeated": 0, "id": 1331 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747ba61c", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000037c" } ], "repeated": 0, "id": 1332 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747ba7ad", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0%g\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1333 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1334 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 1335 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 1336 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "C:\\Users\\Rajesh" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 1337 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x740d8463", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 1338 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747ba66b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 1339 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 1340 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1341 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000370" } ], "repeated": 0, "id": 1342 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 1343 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1344 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1345 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1346 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1347 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 1348 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 1349 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1350 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1351 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xcd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xcd\\x9c\\xcd\\x90\\xcdr\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xd0\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 1352 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 1353 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\windows.storage.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1354 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 1355 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 1356 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f0bb", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 1357 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 1358 }, { "timestamp": "2026-06-29 22:15:01,375", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1359 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\Music\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1360 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x75baa9ec", "parentcaller": "0x7480f158", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000370" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Music\\desktop.ini" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\xf8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1361 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x75b90e6c", "parentcaller": "0x7480f1a1", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000370" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Music\\desktop.ini" }, { "name": "Buffer", "value": "\\xff\\xfe\r\\x00\n\\x00[\\x00.\\x00S\\x00h\\x00e\\x00l\\x00l\\x00C\\x00l\\x00a\\x00s\\x00s\\x00I\\x00n\\x00f\\x00o\\x00]\\x00\r\\x00\n\\x00L\\x00o\\x00c\\x00a\\x00l\\x00i\\x00z\\x00e\\x00d\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00N\\x00a\\x00m\\x00e\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x002\\x001\\x007\\x009\\x000\\x00\r\\x00\n\\x00I\\x00n\\x00f\\x00o\\x00T\\x00i\\x00p\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00" }, { "name": "Length", "value": "504" } ], "repeated": 0, "id": 1362 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x7480f1f4", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000370" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Music\\desktop.ini" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "\\xf2T\\xfc\\xf7v\\x07\\xdd\\x01A\\xdf\\xa2\\xf1|\\x07\\xdd\\x01.\\xa3\n\\xf8v\\x07\\xdd\\x01.\\xa3\n\\xf8v\\x07\\xdd\\x01&\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1363 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7480f20b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1364 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x7480f215", "parentcaller": "0x7480f05c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1365 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f254", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 1366 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 1367 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1368 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c18d3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1369 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1370 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1371 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "{0DDD015D-B06C-45D5-8C4C-F59713854639}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0DDD015D-B06C-45D5-8C4C-F59713854639}" } ], "repeated": 0, "id": 1372 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1373 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Category" } ], "repeated": 0, "id": 1374 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Local Pictures" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Name" } ], "repeated": 0, "id": 1375 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\ParentFolder" } ], "repeated": 0, "id": 1376 }, { "timestamp": "2026-06-29 22:15:01,390", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Description" } ], "repeated": 0, "id": 1377 }, { "timestamp": "2026-06-29 22:15:01,406", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Pictures" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\RelativePath" } ], "repeated": 0, "id": 1378 }, { "timestamp": "2026-06-29 22:15:01,406", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\ParsingName" } ], "repeated": 0, "id": 1379 }, { "timestamp": "2026-06-29 22:15:01,406", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{24ad3ad4-a569-4530-98e1-ab02f9417aa8}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\ParsingName" } ], "repeated": 0, "id": 1380 }, { "timestamp": "2026-06-29 22:15:01,406", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-12688" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\InfoTip" } ], "repeated": 0, "id": 1381 }, { "timestamp": "2026-06-29 22:15:01,406", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21779" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\LocalizedName" } ], "repeated": 0, "id": 1382 }, { "timestamp": "2026-06-29 22:15:01,406", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-113" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Icon" } ], "repeated": 0, "id": 1383 }, { "timestamp": "2026-06-29 22:15:01,406", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Security" } ], "repeated": 0, "id": 1384 }, { "timestamp": "2026-06-29 22:15:01,406", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\StreamResource" } ], "repeated": 0, "id": 1385 }, { "timestamp": "2026-06-29 22:15:01,406", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\StreamResourceType" } ], "repeated": 0, "id": 1386 }, { "timestamp": "2026-06-29 22:15:01,406", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\LocalRedirectOnly" } ], "repeated": 0, "id": 1387 }, { "timestamp": "2026-06-29 22:15:01,406", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Roamable" } ], "repeated": 0, "id": 1388 }, { "timestamp": "2026-06-29 22:15:01,406", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PreCreate" } ], "repeated": 0, "id": 1389 }, { "timestamp": "2026-06-29 22:15:01,406", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Stream" } ], "repeated": 0, "id": 1390 }, { "timestamp": "2026-06-29 22:15:01,406", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PublishExpandedPath" } ], "repeated": 0, "id": 1391 }, { "timestamp": "2026-06-29 22:15:01,406", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\DefinitionFlags" } ], "repeated": 0, "id": 1392 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Attributes" } ], "repeated": 0, "id": 1393 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\FolderTypeID" } ], "repeated": 0, "id": 1394 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\InitFolderHandler" } ], "repeated": 0, "id": 1395 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000388" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000384" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PropertyBag" } ], "repeated": 0, "id": 1396 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 1397 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000384" } ], "repeated": 0, "id": 1398 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1399 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\xf5\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1400 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 1401 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000038c" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 1402 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 1403 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa4\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff$\\xf4\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0stH\\xf4\\xec\\x04D\\xf4\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 1404 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1405 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000390" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000038c" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 1406 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 1407 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000390" }, { "name": "ValueName", "value": "{0DDD015D-B06C-45D5-8C4C-F59713854639}" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{0DDD015D-B06C-45D5-8C4C-F59713854639}" } ], "repeated": 0, "id": 1408 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747ba61c", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000038c" } ], "repeated": 0, "id": 1409 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747ba7ad", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0%g\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1410 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1411 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000394" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 1412 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000394" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 1413 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000394" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "C:\\Users\\Rajesh" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 1414 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x740d8463", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 1415 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747ba66b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 1416 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 1417 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000390" } ], "repeated": 0, "id": 1418 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000390" } ], "repeated": 0, "id": 1419 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 1420 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000390" } ], "repeated": 0, "id": 1421 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1422 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1423 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1424 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 1425 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000390" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 1426 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1427 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1428 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xcd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xcd\\x9c\\xcd\\x90\\xcd\\x92\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xd0\\xec\\x04\\xbc^\\xb8u\\x92\\x03\\x00\\x00" } ], "repeated": 0, "id": 1429 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 1430 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\windows.storage.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1431 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000392" } ], "repeated": 0, "id": 1432 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 1433 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f0bb", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 1434 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 1435 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1436 }, { "timestamp": "2026-06-29 22:15:01,422", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000390" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\Pictures\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1437 }, { "timestamp": "2026-06-29 22:15:01,437", "thread_id": "168", "caller": "0x75baa9ec", "parentcaller": "0x7480f158", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000390" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Pictures\\desktop.ini" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\xf8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1438 }, { "timestamp": "2026-06-29 22:15:01,437", "thread_id": "168", "caller": "0x75b90e6c", "parentcaller": "0x7480f1a1", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000390" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Pictures\\desktop.ini" }, { "name": "Buffer", "value": "\\xff\\xfe\r\\x00\n\\x00[\\x00.\\x00S\\x00h\\x00e\\x00l\\x00l\\x00C\\x00l\\x00a\\x00s\\x00s\\x00I\\x00n\\x00f\\x00o\\x00]\\x00\r\\x00\n\\x00L\\x00o\\x00c\\x00a\\x00l\\x00i\\x00z\\x00e\\x00d\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00N\\x00a\\x00m\\x00e\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x002\\x001\\x007\\x007\\x009\\x00\r\\x00\n\\x00I\\x00n\\x00f\\x00o\\x00T\\x00i\\x00p\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00" }, { "name": "Length", "value": "504" } ], "repeated": 0, "id": 1439 }, { "timestamp": "2026-06-29 22:15:01,437", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x7480f1f4", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000390" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Pictures\\desktop.ini" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "E\\x90\\xf7\\xf7v\\x07\\xdd\\x01\\xf2\\xf3\\xcf\\xf8|\\x07\\xdd\\x01\\x88\\xf2\\xf9\\xf7v\\x07\\xdd\\x01\\x88\\xf2\\xf9\\xf7v\\x07\\xdd\\x01&\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1440 }, { "timestamp": "2026-06-29 22:15:01,437", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7480f20b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000390" } ], "repeated": 0, "id": 1441 }, { "timestamp": "2026-06-29 22:15:01,437", "thread_id": "168", "caller": "0x7480f215", "parentcaller": "0x7480f05c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1442 }, { "timestamp": "2026-06-29 22:15:01,437", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f254", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 1443 }, { "timestamp": "2026-06-29 22:15:01,437", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 1444 }, { "timestamp": "2026-06-29 22:15:01,437", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1445 }, { "timestamp": "2026-06-29 22:15:01,437", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c18d3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1446 }, { "timestamp": "2026-06-29 22:15:01,437", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1447 }, { "timestamp": "2026-06-29 22:15:01,437", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000390" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1448 }, { "timestamp": "2026-06-29 22:15:01,437", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000390" }, { "name": "ObjectAttributesName", "value": "{35286A68-3C57-41A1-BBB1-0EAE73D76C95}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}" } ], "repeated": 0, "id": 1449 }, { "timestamp": "2026-06-29 22:15:01,437", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000390" } ], "repeated": 0, "id": 1450 }, { "timestamp": "2026-06-29 22:15:01,437", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Category" } ], "repeated": 0, "id": 1451 }, { "timestamp": "2026-06-29 22:15:01,453", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Local Videos" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Name" } ], "repeated": 0, "id": 1452 }, { "timestamp": "2026-06-29 22:15:01,453", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\ParentFolder" } ], "repeated": 0, "id": 1453 }, { "timestamp": "2026-06-29 22:15:01,453", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Description" } ], "repeated": 0, "id": 1454 }, { "timestamp": "2026-06-29 22:15:01,453", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Videos" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\RelativePath" } ], "repeated": 0, "id": 1455 }, { "timestamp": "2026-06-29 22:15:01,453", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\ParsingName" } ], "repeated": 0, "id": 1456 }, { "timestamp": "2026-06-29 22:15:01,453", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\ParsingName" } ], "repeated": 0, "id": 1457 }, { "timestamp": "2026-06-29 22:15:01,453", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-12690" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\InfoTip" } ], "repeated": 0, "id": 1458 }, { "timestamp": "2026-06-29 22:15:01,453", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21791" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\LocalizedName" } ], "repeated": 0, "id": 1459 }, { "timestamp": "2026-06-29 22:15:01,453", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-189" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Icon" } ], "repeated": 0, "id": 1460 }, { "timestamp": "2026-06-29 22:15:01,453", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Security" } ], "repeated": 0, "id": 1461 }, { "timestamp": "2026-06-29 22:15:01,453", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\StreamResource" } ], "repeated": 0, "id": 1462 }, { "timestamp": "2026-06-29 22:15:01,453", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\StreamResourceType" } ], "repeated": 0, "id": 1463 }, { "timestamp": "2026-06-29 22:15:01,453", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\LocalRedirectOnly" } ], "repeated": 0, "id": 1464 }, { "timestamp": "2026-06-29 22:15:01,453", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Roamable" } ], "repeated": 0, "id": 1465 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PreCreate" } ], "repeated": 0, "id": 1466 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Stream" } ], "repeated": 0, "id": 1467 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PublishExpandedPath" } ], "repeated": 0, "id": 1468 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\DefinitionFlags" } ], "repeated": 0, "id": 1469 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Attributes" } ], "repeated": 0, "id": 1470 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\FolderTypeID" } ], "repeated": 0, "id": 1471 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\InitFolderHandler" } ], "repeated": 0, "id": 1472 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000390" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000384" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PropertyBag" } ], "repeated": 0, "id": 1473 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 1474 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000384" } ], "repeated": 0, "id": 1475 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1476 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\xf5\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1477 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 1478 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000038c" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 1479 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 1480 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa4\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff$\\xf4\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0stH\\xf4\\xec\\x04D\\xf4\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 1481 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1482 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000394" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000038c" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 1483 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 1484 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000394" }, { "name": "ValueName", "value": "{35286A68-3C57-41A1-BBB1-0EAE73D76C95}" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}" } ], "repeated": 0, "id": 1485 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747ba61c", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000038c" } ], "repeated": 0, "id": 1486 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747ba7ad", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0%g\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1487 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1488 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 1489 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 1490 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "C:\\Users\\Rajesh" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 1491 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x740d8463", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 1492 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747ba66b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 1493 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 1494 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 1495 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000394" } ], "repeated": 0, "id": 1496 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 1497 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 1498 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1499 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1500 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1501 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 1502 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000394" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 1503 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000396" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1504 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000396" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1505 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xcd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xcd\\x9c\\xcd\\x90\\xcd\\x96\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xd0\\xec\\x04\\xbc^\\xb8u\\x96\\x03\\x00\\x00" } ], "repeated": 0, "id": 1506 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 1507 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000396" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\windows.storage.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1508 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000396" } ], "repeated": 0, "id": 1509 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 1510 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f0bb", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 1511 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 1512 }, { "timestamp": "2026-06-29 22:15:01,468", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1513 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000394" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\Videos\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1514 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75baa9ec", "parentcaller": "0x7480f158", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000394" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Videos\\desktop.ini" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\xf8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1515 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b90e6c", "parentcaller": "0x7480f1a1", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000394" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Videos\\desktop.ini" }, { "name": "Buffer", "value": "\\xff\\xfe\r\\x00\n\\x00[\\x00.\\x00S\\x00h\\x00e\\x00l\\x00l\\x00C\\x00l\\x00a\\x00s\\x00s\\x00I\\x00n\\x00f\\x00o\\x00]\\x00\r\\x00\n\\x00L\\x00o\\x00c\\x00a\\x00l\\x00i\\x00z\\x00e\\x00d\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00N\\x00a\\x00m\\x00e\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x002\\x001\\x007\\x009\\x001\\x00\r\\x00\n\\x00I\\x00n\\x00f\\x00o\\x00T\\x00i\\x00p\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00" }, { "name": "Length", "value": "504" } ], "repeated": 0, "id": 1516 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x7480f1f4", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000394" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Videos\\desktop.ini" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "~B\\xe9\\xf7v\\x07\\xdd\\x01A\\xdf\\xa2\\xf1|\\x07\\xdd\\x01\\x88\\xf2\\xf9\\xf7v\\x07\\xdd\\x01\\x88\\xf2\\xf9\\xf7v\\x07\\xdd\\x01&\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1517 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7480f20b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 1518 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x7480f215", "parentcaller": "0x7480f05c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1519 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f254", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 1520 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 1521 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1522 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c18d3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1523 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1524 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000394" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1525 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000394" }, { "name": "ObjectAttributesName", "value": "{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}" } ], "repeated": 0, "id": 1526 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 1527 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Category" } ], "repeated": 0, "id": 1528 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Local Downloads" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Name" } ], "repeated": 0, "id": 1529 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\ParentFolder" } ], "repeated": 0, "id": 1530 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Description" } ], "repeated": 0, "id": 1531 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Downloads" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\RelativePath" } ], "repeated": 0, "id": 1532 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\ParsingName" } ], "repeated": 0, "id": 1533 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{088e3905-0323-4b02-9826-5d99428e115f}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\ParsingName" } ], "repeated": 0, "id": 1534 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\InfoTip" } ], "repeated": 0, "id": 1535 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21798" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\LocalizedName" } ], "repeated": 0, "id": 1536 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-184" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Icon" } ], "repeated": 0, "id": 1537 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Security" } ], "repeated": 0, "id": 1538 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\StreamResource" } ], "repeated": 0, "id": 1539 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\StreamResourceType" } ], "repeated": 0, "id": 1540 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\LocalRedirectOnly" } ], "repeated": 0, "id": 1541 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Roamable" } ], "repeated": 0, "id": 1542 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PreCreate" } ], "repeated": 0, "id": 1543 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Stream" } ], "repeated": 0, "id": 1544 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PublishExpandedPath" } ], "repeated": 0, "id": 1545 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\DefinitionFlags" } ], "repeated": 0, "id": 1546 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Attributes" } ], "repeated": 0, "id": 1547 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\FolderTypeID" } ], "repeated": 0, "id": 1548 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\InitFolderHandler" } ], "repeated": 0, "id": 1549 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000394" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PropertyBag" } ], "repeated": 0, "id": 1550 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1551 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000370" } ], "repeated": 0, "id": 1552 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1553 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\xf5\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1554 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 1555 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000037c" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 1556 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 1557 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa4\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff$\\xf4\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0stH\\xf4\\xec\\x04D\\xf4\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 1558 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1559 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000037c" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 1560 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 1561 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "ValueName", "value": "{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}" } ], "repeated": 0, "id": 1562 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747ba61c", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000037c" } ], "repeated": 0, "id": 1563 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747ba7ad", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8(g\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1564 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1565 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 1566 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 1567 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "C:\\Users\\Rajesh" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 1568 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x740d8463", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 1569 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747ba66b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 1570 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1571 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 1572 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000380" } ], "repeated": 0, "id": 1573 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 1574 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 1575 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1576 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1577 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1578 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 1579 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 1580 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000382" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1581 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000382" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1582 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xcd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xcd\\x9c\\xcd\\x90\\xcd\\x82\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xd0\\xec\\x04\\xbc^\\xb8u\\x82\\x03\\x00\\x00" } ], "repeated": 0, "id": 1583 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 1584 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000382" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\windows.storage.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1585 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000382" } ], "repeated": 0, "id": 1586 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 1587 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f0bb", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 1588 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 1589 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1590 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\Downloads\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1591 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75baa9ec", "parentcaller": "0x7480f158", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000380" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Downloads\\desktop.ini" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": " \\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1592 }, { "timestamp": "2026-06-29 22:15:01,484", "thread_id": "168", "caller": "0x75b90e6c", "parentcaller": "0x7480f1a1", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000380" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Downloads\\desktop.ini" }, { "name": "Buffer", "value": "\\xff\\xfe\r\\x00\n\\x00[\\x00.\\x00S\\x00h\\x00e\\x00l\\x00l\\x00C\\x00l\\x00a\\x00s\\x00s\\x00I\\x00n\\x00f\\x00o\\x00]\\x00\r\\x00\n\\x00L\\x00o\\x00c\\x00a\\x00l\\x00i\\x00z\\x00e\\x00d\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00N\\x00a\\x00m\\x00e\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x002\\x001\\x007\\x009\\x008\\x00\r\\x00\n\\x00I\\x00c\\x00o\\x00n\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00=\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00i\\x00m\\x00a\\x00g\\x00e\\x00r\\x00" }, { "name": "Length", "value": "282" } ], "repeated": 0, "id": 1593 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x7480f1f4", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000380" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Downloads\\desktop.ini" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": ".\\xa3\n\\xf8v\\x07\\xdd\\x01A\\xdf\\xa2\\xf1|\\x07\\xdd\\x01\\xc3\\x05\r\\xf8v\\x07\\xdd\\x01\\xc3\\x05\r\\xf8v\\x07\\xdd\\x01&\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1594 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7480f20b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 1595 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x7480f215", "parentcaller": "0x7480f05c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1596 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f254", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 1597 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 1598 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1599 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c18d3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1600 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1601 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1602 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000380" }, { "name": "ObjectAttributesName", "value": "{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}" } ], "repeated": 0, "id": 1603 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 1604 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000380" } ], "repeated": 0, "id": 1605 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1606 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\xf5\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1607 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747ba61c", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000370" } ], "repeated": 0, "id": 1608 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747ba7ad", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8(g\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1609 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1610 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 1611 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 1612 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "C:\\Users\\Rajesh" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 1613 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x740d8463", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 1614 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747ba66b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1615 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 1616 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c18d3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1617 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1618 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1619 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000380" }, { "name": "ObjectAttributesName", "value": "{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}" } ], "repeated": 0, "id": 1620 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 1621 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Category" } ], "repeated": 0, "id": 1622 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "UsersFilesFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Name" } ], "repeated": 0, "id": 1623 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\ParentFolder" } ], "repeated": 0, "id": 1624 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Description" } ], "repeated": 0, "id": 1625 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\RelativePath" } ], "repeated": 0, "id": 1626 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{59031a47-3f72-44a7-89c5-5595fe6b30ee}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\ParsingName" } ], "repeated": 0, "id": 1627 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\InfoTip" } ], "repeated": 0, "id": 1628 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\LocalizedName" } ], "repeated": 0, "id": 1629 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Icon" } ], "repeated": 0, "id": 1630 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Security" } ], "repeated": 0, "id": 1631 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\StreamResource" } ], "repeated": 0, "id": 1632 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\StreamResourceType" } ], "repeated": 0, "id": 1633 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\LocalRedirectOnly" } ], "repeated": 0, "id": 1634 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Roamable" } ], "repeated": 0, "id": 1635 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\PreCreate" } ], "repeated": 0, "id": 1636 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Stream" } ], "repeated": 0, "id": 1637 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\PublishExpandedPath" } ], "repeated": 0, "id": 1638 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\DefinitionFlags" } ], "repeated": 0, "id": 1639 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Attributes" } ], "repeated": 0, "id": 1640 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\FolderTypeID" } ], "repeated": 0, "id": 1641 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\InitFolderHandler" } ], "repeated": 0, "id": 1642 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\PropertyBag" } ], "repeated": 0, "id": 1643 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1644 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1645 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1646 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1647 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder" } ], "repeated": 0, "id": 1648 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder" } ], "repeated": 0, "id": 1649 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1650 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1651 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "H\\xe6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xd4\\xe6\\x84\\xe6x\\xe6r\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02 \\xe9\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 1652 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder" } ], "repeated": 0, "id": 1653 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "18446744073449767213" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\Attributes" } ], "repeated": 0, "id": 1654 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1655 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1656 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "H\\xe6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xd4\\xe6\\x84\\xe6x\\xe6r\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02 \\xe9\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 1657 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder" } ], "repeated": 0, "id": 1658 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "CallForAttributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\CallForAttributes" } ], "repeated": 0, "id": 1659 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1660 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1661 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "H\\xe6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xd4\\xe6\\x84\\xe6x\\xe6r\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02 \\xe9\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 1662 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder" } ], "repeated": 0, "id": 1663 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "RestrictedAttributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\RestrictedAttributes" } ], "repeated": 0, "id": 1664 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1665 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1666 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "H\\xe6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xd4\\xe6\\x84\\xe6x\\xe6r\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02 \\xe9\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 1667 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder" } ], "repeated": 0, "id": 1668 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "FolderValueFlags" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5243433" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\FolderValueFlags" } ], "repeated": 0, "id": 1669 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747ba92e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 1670 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1671 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder" } ], "repeated": 0, "id": 1672 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1673 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder" } ], "repeated": 0, "id": 1674 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1675 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" } ], "repeated": 0, "id": 1676 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1677 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" } ], "repeated": 0, "id": 1678 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "{59031A47-3F72-44A7-89C5-5595FE6B30EE}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}" } ], "repeated": 0, "id": 1679 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f78aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1680 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000370" } ], "repeated": 0, "id": 1681 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 1682 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1683 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1684 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1685 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1686 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\InProcServer32" } ], "repeated": 0, "id": 1687 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\InProcServer32" } ], "repeated": 0, "id": 1688 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1689 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1690 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xdc\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xdc\\xa4\\xdc\\x98\\xdcr\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xdf\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 1691 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\InProcServer32" } ], "repeated": 0, "id": 1692 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\Windows.Storage.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1693 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 1694 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1695 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace" } ], "repeated": 0, "id": 1696 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ValidateRegItems" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\ValidateRegItems" } ], "repeated": 0, "id": 1697 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1698 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1699 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace" } ], "repeated": 0, "id": 1700 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "MonitorRegistry" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\MonitorRegistry" } ], "repeated": 0, "id": 1701 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1702 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1703 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders" } ], "repeated": 0, "id": 1704 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "StorageDelegateSuppressionPolicy" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{92803FB4-7706-4035-ACD7-F63E069D3697}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders\\StorageDelegateSuppressionPolicy" } ], "repeated": 0, "id": 1705 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1706 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1707 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 1708 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "PreventItemCreationInUsersFilesFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\PreventItemCreationInUsersFilesFolder" } ], "repeated": 0, "id": 1709 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8275", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1710 }, { "timestamp": "2026-06-29 22:15:01,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1711 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 1712 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "PreventItemCreationInUsersFilesFolder" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\PreventItemCreationInUsersFilesFolder" } ], "repeated": 0, "id": 1713 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8334", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1714 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1715 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders" } ], "repeated": 0, "id": 1716 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "StorageDelegate" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{DFFACDC5-679F-4156-8947-C5C76BC0B67F}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders\\StorageDelegate" } ], "repeated": 0, "id": 1717 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1718 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1719 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1720 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1721 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance" } ], "repeated": 0, "id": 1722 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance" } ], "repeated": 0, "id": 1723 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000038c" } ], "repeated": 0, "id": 1724 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 1725 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 1726 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1727 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1728 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1729 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\InProcServer32" } ], "repeated": 0, "id": 1730 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\InProcServer32" } ], "repeated": 0, "id": 1731 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1732 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1733 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xdb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xdc\\xc4\\xdb\\xb8\\xdb\\x8e\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xde\\xec\\x04\\xbc^\\xb8u\\x8e\\x03\\x00\\x00" } ], "repeated": 0, "id": 1734 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\InProcServer32" } ], "repeated": 0, "id": 1735 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038e" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\Windows.Storage.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1736 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038e" } ], "repeated": 0, "id": 1737 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1738 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1739 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xdc\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xdd\\xfc\\xdc\\xf0\\xdcr\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xdf\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 1740 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance" } ], "repeated": 0, "id": 1741 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "CLSID" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\CLSID" } ], "repeated": 0, "id": 1742 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e779e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000038c" } ], "repeated": 0, "id": 1743 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e779e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 1744 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e779e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 1745 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1746 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1747 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1748 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\\InProcServer32" } ], "repeated": 0, "id": 1749 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\\InProcServer32" } ], "repeated": 0, "id": 1750 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1751 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1752 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xd1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xd2\\x04\\xd2\\xf8\\xd1\\x8e\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xd4\\xec\\x04\\xbc^\\xb8u\\x8e\\x03\\x00\\x00" } ], "repeated": 0, "id": 1753 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32" } ], "repeated": 0, "id": 1754 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038e" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\Windows.Storage.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1755 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1756 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1757 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xd1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xd2\\x04\\xd2\\xf8\\xd1\\x8e\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xd4\\xec\\x04\\xbc^\\xb8u\\x8e\\x03\\x00\\x00" } ], "repeated": 0, "id": 1758 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32" } ], "repeated": 0, "id": 1759 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038e" }, { "name": "ValueName", "value": "LoadWithoutCOM" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32\\LoadWithoutCOM" } ], "repeated": 0, "id": 1760 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038e" } ], "repeated": 0, "id": 1761 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x747e780c", "parentcaller": "0x74839a38", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0E5AAE11-A475-4C5B-AB00-C66DE400274E" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ADD8BA80-002B-11D0-8F0F-00C04FD7D062" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1762 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1763 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1764 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xdd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xddt\\xddh\\xddr\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x10\\xe0\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 1765 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 1766 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000372" }, { "name": "ObjectAttributesName", "value": "InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 1767 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1768 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1769 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1770 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1771 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xdb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xdc\\xdc\\xdb\\xd0\\xdb~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02x\\xde\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 1772 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 1773 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\Attributes" } ], "repeated": 0, "id": 1774 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1775 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1776 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xdb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xdc\\xdc\\xdb\\xd0\\xdb~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02x\\xde\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 1777 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 1778 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "17" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\Attributes" } ], "repeated": 0, "id": 1779 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1780 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1781 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xdb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xdc\\xdc\\xdb\\xd0\\xdb~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02x\\xde\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 1782 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 1783 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "ValueName", "value": "DescriptionID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\DescriptionID" } ], "repeated": 0, "id": 1784 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1785 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1786 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xdb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xdc\\xc4\\xdb\\xb8\\xdb~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xde\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 1787 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 1788 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "ValueName", "value": "HelpTopic" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\HelpTopic" } ], "repeated": 0, "id": 1789 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1790 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1791 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xdb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xdc\\xc4\\xdb\\xb8\\xdb~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xde\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 1792 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 1793 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "ValueName", "value": "AllowChildAliasRegistration" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\AllowChildAliasRegistration" } ], "repeated": 0, "id": 1794 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1795 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1796 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xdb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xdc\\xdc\\xdb\\xd0\\xdb~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02x\\xde\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 1797 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 1798 }, { "timestamp": "2026-06-29 22:15:01,515", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "ValueName", "value": "RecursiveSearch" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\RecursiveSearch" } ], "repeated": 0, "id": 1799 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1800 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1801 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xdb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xdc\\xbc\\xdb\\xb0\\xdb~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xde\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 1802 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 1803 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "ValueName", "value": "TargetKnownFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\TargetKnownFolder" } ], "repeated": 0, "id": 1804 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1805 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1806 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xdb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xdc\\xbc\\xdb\\xb0\\xdb~\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xde\\xec\\x04\\xbc^\\xb8u~\\x03\\x00\\x00" } ], "repeated": 0, "id": 1807 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 1808 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037e" }, { "name": "ValueName", "value": "TargetKnownFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{5E6C858F-0E22-4760-9AFE-EA3317B67173}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\TargetKnownFolder" } ], "repeated": 0, "id": 1809 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1810 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1811 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1812 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance" } ], "repeated": 0, "id": 1813 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1814 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance" } ], "repeated": 0, "id": 1815 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "ObjectAttributesHandle", "value": "0x00000384" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\" } ], "repeated": 0, "id": 1816 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 1817 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "ObjectAttributesHandle", "value": "0x0000038c" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\" } ], "repeated": 0, "id": 1818 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7621302b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037e" } ], "repeated": 0, "id": 1819 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 1820 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 1821 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75ba6b8e", "parentcaller": "0x748202ab", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1822 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c18d3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1823 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x74129afa", "parentcaller": "0x747e9d08", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "76765B11-3F95-4AF2-AC9D-EA55D8994F1A" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1824 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000370" } ], "repeated": 0, "id": 1825 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 1826 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1827 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1828 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1829 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1830 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A}\\InProcServer32" } ], "repeated": 0, "id": 1831 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A}\\InProcServer32" } ], "repeated": 0, "id": 1832 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1833 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1834 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xe0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xe1$\\xe1\\x18\\xe1r\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xe3\\xec\\x04\\xbc^\\xb8ur\\x03\\x00\\x00" } ], "repeated": 0, "id": 1835 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\\InProcServer32" } ], "repeated": 0, "id": 1836 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\windows.storage.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1837 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 1838 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1839 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1840 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 1841 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 1842 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 1843 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 1844 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "4" } ], "repeated": 0, "id": 1845 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "5" } ], "repeated": 0, "id": 1846 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "6" } ], "repeated": 0, "id": 1847 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "7" } ], "repeated": 0, "id": 1848 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "8" } ], "repeated": 0, "id": 1849 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "9" } ], "repeated": 0, "id": 1850 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "10" } ], "repeated": 0, "id": 1851 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "11" } ], "repeated": 0, "id": 1852 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "12" } ], "repeated": 0, "id": 1853 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "13" } ], "repeated": 0, "id": 1854 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "14" } ], "repeated": 0, "id": 1855 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "15" } ], "repeated": 0, "id": 1856 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "16" } ], "repeated": 0, "id": 1857 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "17" } ], "repeated": 0, "id": 1858 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "18" } ], "repeated": 0, "id": 1859 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "19" } ], "repeated": 0, "id": 1860 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "20" } ], "repeated": 0, "id": 1861 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "21" } ], "repeated": 0, "id": 1862 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "22" } ], "repeated": 0, "id": 1863 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "23" } ], "repeated": 0, "id": 1864 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "24" } ], "repeated": 0, "id": 1865 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "25" } ], "repeated": 0, "id": 1866 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "26" } ], "repeated": 0, "id": 1867 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "27" } ], "repeated": 0, "id": 1868 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "28" } ], "repeated": 0, "id": 1869 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "29" } ], "repeated": 0, "id": 1870 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "30" } ], "repeated": 0, "id": 1871 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "31" } ], "repeated": 0, "id": 1872 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "32" } ], "repeated": 0, "id": 1873 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "33" } ], "repeated": 0, "id": 1874 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "34" } ], "repeated": 0, "id": 1875 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "35" } ], "repeated": 0, "id": 1876 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "36" } ], "repeated": 0, "id": 1877 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "37" } ], "repeated": 0, "id": 1878 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "38" } ], "repeated": 0, "id": 1879 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "39" } ], "repeated": 0, "id": 1880 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "40" } ], "repeated": 0, "id": 1881 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "41" } ], "repeated": 0, "id": 1882 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "42" } ], "repeated": 0, "id": 1883 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "43" } ], "repeated": 0, "id": 1884 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "44" } ], "repeated": 0, "id": 1885 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "45" } ], "repeated": 0, "id": 1886 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "46" } ], "repeated": 0, "id": 1887 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "47" } ], "repeated": 0, "id": 1888 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "48" } ], "repeated": 0, "id": 1889 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "49" } ], "repeated": 0, "id": 1890 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "50" } ], "repeated": 0, "id": 1891 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "51" } ], "repeated": 0, "id": 1892 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "52" } ], "repeated": 0, "id": 1893 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "53" } ], "repeated": 0, "id": 1894 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "54" } ], "repeated": 0, "id": 1895 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "55" } ], "repeated": 0, "id": 1896 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "56" } ], "repeated": 0, "id": 1897 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "57" } ], "repeated": 0, "id": 1898 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "58" } ], "repeated": 0, "id": 1899 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "59" } ], "repeated": 0, "id": 1900 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "60" } ], "repeated": 0, "id": 1901 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "61" } ], "repeated": 0, "id": 1902 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "62" } ], "repeated": 0, "id": 1903 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "63" } ], "repeated": 0, "id": 1904 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "64" } ], "repeated": 0, "id": 1905 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "65" } ], "repeated": 0, "id": 1906 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "66" } ], "repeated": 0, "id": 1907 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "67" } ], "repeated": 0, "id": 1908 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "68" } ], "repeated": 0, "id": 1909 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "69" } ], "repeated": 0, "id": 1910 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "70" } ], "repeated": 0, "id": 1911 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "71" } ], "repeated": 0, "id": 1912 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "72" } ], "repeated": 0, "id": 1913 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "73" } ], "repeated": 0, "id": 1914 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "74" } ], "repeated": 0, "id": 1915 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "75" } ], "repeated": 0, "id": 1916 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "76" } ], "repeated": 0, "id": 1917 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "77" } ], "repeated": 0, "id": 1918 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "78" } ], "repeated": 0, "id": 1919 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "79" } ], "repeated": 0, "id": 1920 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "80" } ], "repeated": 0, "id": 1921 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "81" } ], "repeated": 0, "id": 1922 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "82" } ], "repeated": 0, "id": 1923 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "83" } ], "repeated": 0, "id": 1924 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "84" } ], "repeated": 0, "id": 1925 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "85" } ], "repeated": 0, "id": 1926 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "86" } ], "repeated": 0, "id": 1927 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "87" } ], "repeated": 0, "id": 1928 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "88" } ], "repeated": 0, "id": 1929 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "89" } ], "repeated": 0, "id": 1930 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "90" } ], "repeated": 0, "id": 1931 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "91" } ], "repeated": 0, "id": 1932 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "92" } ], "repeated": 0, "id": 1933 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "93" } ], "repeated": 0, "id": 1934 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "94" } ], "repeated": 0, "id": 1935 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "95" } ], "repeated": 0, "id": 1936 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "96" } ], "repeated": 0, "id": 1937 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "97" } ], "repeated": 0, "id": 1938 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "98" } ], "repeated": 0, "id": 1939 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "99" } ], "repeated": 0, "id": 1940 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "100" } ], "repeated": 0, "id": 1941 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "101" } ], "repeated": 0, "id": 1942 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "102" } ], "repeated": 0, "id": 1943 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "103" } ], "repeated": 0, "id": 1944 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "104" } ], "repeated": 0, "id": 1945 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "105" } ], "repeated": 0, "id": 1946 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "106" } ], "repeated": 0, "id": 1947 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "107" } ], "repeated": 0, "id": 1948 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "108" } ], "repeated": 0, "id": 1949 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "109" } ], "repeated": 0, "id": 1950 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "110" } ], "repeated": 0, "id": 1951 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "111" } ], "repeated": 0, "id": 1952 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "112" } ], "repeated": 0, "id": 1953 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "113" } ], "repeated": 0, "id": 1954 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "114" } ], "repeated": 0, "id": 1955 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "115" } ], "repeated": 0, "id": 1956 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "116" } ], "repeated": 0, "id": 1957 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "117" } ], "repeated": 0, "id": 1958 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "118" } ], "repeated": 0, "id": 1959 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "119" } ], "repeated": 0, "id": 1960 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "120" } ], "repeated": 0, "id": 1961 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "121" } ], "repeated": 0, "id": 1962 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "122" } ], "repeated": 0, "id": 1963 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "123" } ], "repeated": 0, "id": 1964 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "124" } ], "repeated": 0, "id": 1965 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "125" } ], "repeated": 0, "id": 1966 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "126" } ], "repeated": 0, "id": 1967 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "127" } ], "repeated": 0, "id": 1968 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "Index", "value": "128" } ], "repeated": 0, "id": 1969 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487cf11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1970 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1971 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1972 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}" } ], "repeated": 0, "id": 1973 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1974 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Category" } ], "repeated": 0, "id": 1975 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Searches" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Name" } ], "repeated": 0, "id": 1976 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\ParentFolder" } ], "repeated": 0, "id": 1977 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Description" } ], "repeated": 0, "id": 1978 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Searches" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\RelativePath" } ], "repeated": 0, "id": 1979 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\ParsingName" } ], "repeated": 0, "id": 1980 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\{7d1d3a04-debb-4115-95cf-2f29da2920da}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\ParsingName" } ], "repeated": 0, "id": 1981 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\InfoTip" } ], "repeated": 0, "id": 1982 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-9031" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\LocalizedName" } ], "repeated": 0, "id": 1983 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-18" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Icon" } ], "repeated": 0, "id": 1984 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Security" } ], "repeated": 0, "id": 1985 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\StreamResource" } ], "repeated": 0, "id": 1986 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\StreamResourceType" } ], "repeated": 0, "id": 1987 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\LocalRedirectOnly" } ], "repeated": 0, "id": 1988 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Roamable" } ], "repeated": 0, "id": 1989 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\PreCreate" } ], "repeated": 0, "id": 1990 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Stream" } ], "repeated": 0, "id": 1991 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\PublishExpandedPath" } ], "repeated": 0, "id": 1992 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\DefinitionFlags" } ], "repeated": 0, "id": 1993 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Attributes" } ], "repeated": 0, "id": 1994 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{0b0ba2e3-405f-415e-a6ee-cad625207853}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\FolderTypeID" } ], "repeated": 0, "id": 1995 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\InitFolderHandler" } ], "repeated": 0, "id": 1996 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000038c" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\PropertyBag" } ], "repeated": 0, "id": 1997 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 1998 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x747bfb9b", "parentcaller": "0x747c23f7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4DF0C730-DF9D-4AE3-9153-AA6B82E9795A" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "8BE2D872-86AA-4D47-B776-32CCA40C7018" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1999 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8fb07", "parentcaller": "0x7484ef21", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" }, { "name": "MutexName", "value": "Local\\SM0:3236:64:WilError_03" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 2000 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x748501d2", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2001 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2002 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2003 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7480d42e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 2004 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b94290", "parentcaller": "0x748501b1", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 1, "id": 2005 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2006 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" } ], "repeated": 0, "id": 2007 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2008 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 2009 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2010 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 2011 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000038c" } ], "repeated": 0, "id": 2012 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2013 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "H\\xf0\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2014 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 2015 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 2016 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 2017 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "L\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff\\xcc\\xee\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0st\\xf0\\xee\\xec\\x04\\xec\\xee\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 2018 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 2019 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 2020 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 2021 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "ValueName", "value": "{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}" } ], "repeated": 0, "id": 2022 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747ba61c", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000370" } ], "repeated": 0, "id": 2023 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747ba7ad", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X,g\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2024 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2025 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 2026 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 2027 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "C:\\Users\\Rajesh" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 2028 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x740d8463", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2029 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747ba66b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 2030 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 2031 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 2032 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2033 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2034 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000037c" }, { "name": "ObjectAttributesName", "value": "{F38BF404-1D43-42F2-9305-67DE0B28FC23}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}" } ], "repeated": 0, "id": 2035 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 2036 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category" } ], "repeated": 0, "id": 2037 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Windows" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name" } ], "repeated": 0, "id": 2038 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder" } ], "repeated": 0, "id": 2039 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description" } ], "repeated": 0, "id": 2040 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath" } ], "repeated": 0, "id": 2041 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName" } ], "repeated": 0, "id": 2042 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip" } ], "repeated": 0, "id": 2043 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName" } ], "repeated": 0, "id": 2044 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon" } ], "repeated": 0, "id": 2045 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security" } ], "repeated": 0, "id": 2046 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource" } ], "repeated": 0, "id": 2047 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType" } ], "repeated": 0, "id": 2048 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2049 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable" } ], "repeated": 0, "id": 2050 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate" } ], "repeated": 0, "id": 2051 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream" } ], "repeated": 0, "id": 2052 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath" } ], "repeated": 0, "id": 2053 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\DefinitionFlags" } ], "repeated": 0, "id": 2054 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes" } ], "repeated": 0, "id": 2055 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID" } ], "repeated": 0, "id": 2056 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler" } ], "repeated": 0, "id": 2057 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000038c" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PropertyBag" } ], "repeated": 0, "id": 2058 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 2059 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2060 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2061 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000038c" }, { "name": "ObjectAttributesName", "value": "{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}" } ], "repeated": 0, "id": 2062 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 2063 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Category" } ], "repeated": 0, "id": 2064 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "ProgramFilesCommon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Name" } ], "repeated": 0, "id": 2065 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\ParentFolder" } ], "repeated": 0, "id": 2066 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Description" } ], "repeated": 0, "id": 2067 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\RelativePath" } ], "repeated": 0, "id": 2068 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\ParsingName" } ], "repeated": 0, "id": 2069 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\InfoTip" } ], "repeated": 0, "id": 2070 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\LocalizedName" } ], "repeated": 0, "id": 2071 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Icon" } ], "repeated": 0, "id": 2072 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Security" } ], "repeated": 0, "id": 2073 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\StreamResource" } ], "repeated": 0, "id": 2074 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\StreamResourceType" } ], "repeated": 0, "id": 2075 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2076 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Roamable" } ], "repeated": 0, "id": 2077 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\PreCreate" } ], "repeated": 0, "id": 2078 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Stream" } ], "repeated": 0, "id": 2079 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\PublishExpandedPath" } ], "repeated": 0, "id": 2080 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\DefinitionFlags" } ], "repeated": 0, "id": 2081 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Attributes" } ], "repeated": 0, "id": 2082 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\FolderTypeID" } ], "repeated": 0, "id": 2083 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\InitFolderHandler" } ], "repeated": 0, "id": 2084 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\PropertyBag" } ], "repeated": 0, "id": 2085 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 2086 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2087 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2088 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "{2112AB0A-C86A-4FFE-A368-0DE96E47012E}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4FFE-A368-0DE96E47012E}" } ], "repeated": 0, "id": 2089 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 2090 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Category" } ], "repeated": 0, "id": 2091 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "MusicLibrary" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Name" } ], "repeated": 0, "id": 2092 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\ParentFolder" } ], "repeated": 0, "id": 2093 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Description" } ], "repeated": 0, "id": 2094 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Music.library-ms" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\RelativePath" } ], "repeated": 0, "id": 2095 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\ParsingName" } ], "repeated": 0, "id": 2096 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\ParsingName" } ], "repeated": 0, "id": 2097 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-12689" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\InfoTip" } ], "repeated": 0, "id": 2098 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-34584" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\LocalizedName" } ], "repeated": 0, "id": 2099 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-1004" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Icon" } ], "repeated": 0, "id": 2100 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Security" } ], "repeated": 0, "id": 2101 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\shell32.dll,-2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\StreamResource" } ], "repeated": 0, "id": 2102 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "LIBRARY" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\StreamResourceType" } ], "repeated": 0, "id": 2103 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2104 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Roamable" } ], "repeated": 0, "id": 2105 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\PreCreate" } ], "repeated": 0, "id": 2106 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Stream" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Stream" } ], "repeated": 0, "id": 2107 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\PublishExpandedPath" } ], "repeated": 0, "id": 2108 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\DefinitionFlags" } ], "repeated": 0, "id": 2109 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Attributes" } ], "repeated": 0, "id": 2110 }, { "timestamp": "2026-06-29 22:15:01,531", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\FolderTypeID" } ], "repeated": 0, "id": 2111 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\InitFolderHandler" } ], "repeated": 0, "id": 2112 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000039c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000038c" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\PropertyBag" } ], "repeated": 0, "id": 2113 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 2114 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2115 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2116 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000038c" }, { "name": "ObjectAttributesName", "value": "{48DAF80B-E6CF-4F4E-B800-0E69D84EE384}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48DAF80B-E6CF-4F4E-B800-0E69D84EE384}" } ], "repeated": 0, "id": 2117 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 2118 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Category" } ], "repeated": 0, "id": 2119 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "PublicLibraries" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Name" } ], "repeated": 0, "id": 2120 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\ParentFolder" } ], "repeated": 0, "id": 2121 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Description" } ], "repeated": 0, "id": 2122 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Libraries" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\RelativePath" } ], "repeated": 0, "id": 2123 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\ParsingName" } ], "repeated": 0, "id": 2124 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\InfoTip" } ], "repeated": 0, "id": 2125 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\LocalizedName" } ], "repeated": 0, "id": 2126 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Icon" } ], "repeated": 0, "id": 2127 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Security" } ], "repeated": 0, "id": 2128 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\StreamResource" } ], "repeated": 0, "id": 2129 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\StreamResourceType" } ], "repeated": 0, "id": 2130 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2131 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Roamable" } ], "repeated": 0, "id": 2132 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\PreCreate" } ], "repeated": 0, "id": 2133 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Stream" } ], "repeated": 0, "id": 2134 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\PublishExpandedPath" } ], "repeated": 0, "id": 2135 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\DefinitionFlags" } ], "repeated": 0, "id": 2136 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Attributes" } ], "repeated": 0, "id": 2137 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\FolderTypeID" } ], "repeated": 0, "id": 2138 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\InitFolderHandler" } ], "repeated": 0, "id": 2139 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003a0" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\PropertyBag" } ], "repeated": 0, "id": 2140 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a0" } ], "repeated": 0, "id": 2141 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2142 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2143 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003a0" }, { "name": "ObjectAttributesName", "value": "{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}" } ], "repeated": 0, "id": 2144 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a0" } ], "repeated": 0, "id": 2145 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Category" } ], "repeated": 0, "id": 2146 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Common Desktop" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Name" } ], "repeated": 0, "id": 2147 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParentFolder" } ], "repeated": 0, "id": 2148 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Description" } ], "repeated": 0, "id": 2149 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Desktop" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\RelativePath" } ], "repeated": 0, "id": 2150 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParsingName" } ], "repeated": 0, "id": 2151 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InfoTip" } ], "repeated": 0, "id": 2152 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21799" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalizedName" } ], "repeated": 0, "id": 2153 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Icon" } ], "repeated": 0, "id": 2154 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Security" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "D:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;IU)(A;OICI;FA;;;SY)" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Security" } ], "repeated": 0, "id": 2155 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResource" } ], "repeated": 0, "id": 2156 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResourceType" } ], "repeated": 0, "id": 2157 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2158 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Roamable" } ], "repeated": 0, "id": 2159 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PreCreate" } ], "repeated": 0, "id": 2160 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Stream" } ], "repeated": 0, "id": 2161 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PublishExpandedPath" } ], "repeated": 0, "id": 2162 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\DefinitionFlags" } ], "repeated": 0, "id": 2163 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Attributes" } ], "repeated": 0, "id": 2164 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\FolderTypeID" } ], "repeated": 0, "id": 2165 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InitFolderHandler" } ], "repeated": 0, "id": 2166 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000038c" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PropertyBag" } ], "repeated": 0, "id": 2167 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 2168 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2169 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2170 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000038c" }, { "name": "ObjectAttributesName", "value": "{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}" } ], "repeated": 0, "id": 2171 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 2172 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Category" } ], "repeated": 0, "id": 2173 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "AppDataDocuments" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Name" } ], "repeated": 0, "id": 2174 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\ParentFolder" } ], "repeated": 0, "id": 2175 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Description" } ], "repeated": 0, "id": 2176 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Documents" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\RelativePath" } ], "repeated": 0, "id": 2177 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\ParsingName" } ], "repeated": 0, "id": 2178 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\InfoTip" } ], "repeated": 0, "id": 2179 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\LocalizedName" } ], "repeated": 0, "id": 2180 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Icon" } ], "repeated": 0, "id": 2181 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Security" } ], "repeated": 0, "id": 2182 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\StreamResource" } ], "repeated": 0, "id": 2183 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\StreamResourceType" } ], "repeated": 0, "id": 2184 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2185 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Roamable" } ], "repeated": 0, "id": 2186 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\PreCreate" } ], "repeated": 0, "id": 2187 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Stream" } ], "repeated": 0, "id": 2188 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\PublishExpandedPath" } ], "repeated": 0, "id": 2189 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\DefinitionFlags" } ], "repeated": 0, "id": 2190 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Attributes" } ], "repeated": 0, "id": 2191 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\FolderTypeID" } ], "repeated": 0, "id": 2192 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\InitFolderHandler" } ], "repeated": 0, "id": 2193 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003a0" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\PropertyBag" } ], "repeated": 0, "id": 2194 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a0" } ], "repeated": 0, "id": 2195 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2196 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2197 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003a0" }, { "name": "ObjectAttributesName", "value": "{9E52AB10-F80D-49DF-ACB8-4330F5687855}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}" } ], "repeated": 0, "id": 2198 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a0" } ], "repeated": 0, "id": 2199 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Category" } ], "repeated": 0, "id": 2200 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "CD Burning" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Name" } ], "repeated": 0, "id": 2201 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\ParentFolder" } ], "repeated": 0, "id": 2202 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Description" } ], "repeated": 0, "id": 2203 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\Burn\\Burn" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\RelativePath" } ], "repeated": 0, "id": 2204 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\ParsingName" } ], "repeated": 0, "id": 2205 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\InfoTip" } ], "repeated": 0, "id": 2206 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21815" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\LocalizedName" } ], "repeated": 0, "id": 2207 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Icon" } ], "repeated": 0, "id": 2208 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Security" } ], "repeated": 0, "id": 2209 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\StreamResource" } ], "repeated": 0, "id": 2210 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\StreamResourceType" } ], "repeated": 0, "id": 2211 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2212 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Roamable" } ], "repeated": 0, "id": 2213 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\PreCreate" } ], "repeated": 0, "id": 2214 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Stream" } ], "repeated": 0, "id": 2215 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\PublishExpandedPath" } ], "repeated": 0, "id": 2216 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\DefinitionFlags" } ], "repeated": 0, "id": 2217 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Attributes" } ], "repeated": 0, "id": 2218 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\FolderTypeID" } ], "repeated": 0, "id": 2219 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\InitFolderHandler" } ], "repeated": 0, "id": 2220 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000038c" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\PropertyBag" } ], "repeated": 0, "id": 2221 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 2222 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2223 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2224 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000038c" }, { "name": "ObjectAttributesName", "value": "{E25B5812-BE88-4BD9-94B0-29233477B6C3}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4BD9-94B0-29233477B6C3}" } ], "repeated": 0, "id": 2225 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 2226 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Category" } ], "repeated": 0, "id": 2227 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "SavedPicturesLibrary" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Name" } ], "repeated": 0, "id": 2228 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\ParentFolder" } ], "repeated": 0, "id": 2229 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Description" } ], "repeated": 0, "id": 2230 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "SavedPictures.library-ms" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\RelativePath" } ], "repeated": 0, "id": 2231 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\ParsingName" } ], "repeated": 0, "id": 2232 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\ParsingName" } ], "repeated": 0, "id": 2233 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\InfoTip" } ], "repeated": 0, "id": 2234 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-34583" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\LocalizedName" } ], "repeated": 0, "id": 2235 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Icon" } ], "repeated": 0, "id": 2236 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Security" } ], "repeated": 0, "id": 2237 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\shell32.dll,-6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\StreamResource" } ], "repeated": 0, "id": 2238 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "LIBRARY" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\StreamResourceType" } ], "repeated": 0, "id": 2239 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2240 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Roamable" } ], "repeated": 0, "id": 2241 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\PreCreate" } ], "repeated": 0, "id": 2242 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Stream" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Stream" } ], "repeated": 0, "id": 2243 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\PublishExpandedPath" } ], "repeated": 0, "id": 2244 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\DefinitionFlags" } ], "repeated": 0, "id": 2245 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Attributes" } ], "repeated": 0, "id": 2246 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\FolderTypeID" } ], "repeated": 0, "id": 2247 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\InitFolderHandler" } ], "repeated": 0, "id": 2248 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\PropertyBag" } ], "repeated": 0, "id": 2249 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 2250 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2251 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2252 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "{98EC0E18-2098-4D44-8644-66979315A281}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}" } ], "repeated": 0, "id": 2253 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 2254 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Category" } ], "repeated": 0, "id": 2255 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "MAPIFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Name" } ], "repeated": 0, "id": 2256 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\ParentFolder" } ], "repeated": 0, "id": 2257 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Description" } ], "repeated": 0, "id": 2258 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\RelativePath" } ], "repeated": 0, "id": 2259 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "shell:::{89D83576-6BD1-4C86-9454-BEB04E94C819}\\*" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\ParsingName" } ], "repeated": 0, "id": 2260 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\InfoTip" } ], "repeated": 0, "id": 2261 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\LocalizedName" } ], "repeated": 0, "id": 2262 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Icon" } ], "repeated": 0, "id": 2263 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Security" } ], "repeated": 0, "id": 2264 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\StreamResource" } ], "repeated": 0, "id": 2265 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\StreamResourceType" } ], "repeated": 0, "id": 2266 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2267 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Roamable" } ], "repeated": 0, "id": 2268 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\PreCreate" } ], "repeated": 0, "id": 2269 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Stream" } ], "repeated": 0, "id": 2270 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\PublishExpandedPath" } ], "repeated": 0, "id": 2271 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\DefinitionFlags" } ], "repeated": 0, "id": 2272 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Attributes" } ], "repeated": 0, "id": 2273 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\FolderTypeID" } ], "repeated": 0, "id": 2274 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\InitFolderHandler" } ], "repeated": 0, "id": 2275 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\PropertyBag" } ], "repeated": 0, "id": 2276 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2277 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2278 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2279 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{A4115719-D62E-491D-AA7C-E74B8BE3B067}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}" } ], "repeated": 0, "id": 2280 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2281 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Category" } ], "repeated": 0, "id": 2282 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Common Start Menu" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Name" } ], "repeated": 0, "id": 2283 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\ParentFolder" } ], "repeated": 0, "id": 2284 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Description" } ], "repeated": 0, "id": 2285 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\Start Menu" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\RelativePath" } ], "repeated": 0, "id": 2286 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\ParsingName" } ], "repeated": 0, "id": 2287 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\InfoTip" } ], "repeated": 0, "id": 2288 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21786" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\LocalizedName" } ], "repeated": 0, "id": 2289 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Icon" } ], "repeated": 0, "id": 2290 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Security" } ], "repeated": 0, "id": 2291 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\StreamResource" } ], "repeated": 0, "id": 2292 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\StreamResourceType" } ], "repeated": 0, "id": 2293 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2294 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Roamable" } ], "repeated": 0, "id": 2295 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PreCreate" } ], "repeated": 0, "id": 2296 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Stream" } ], "repeated": 0, "id": 2297 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PublishExpandedPath" } ], "repeated": 0, "id": 2298 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\DefinitionFlags" } ], "repeated": 0, "id": 2299 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Attributes" } ], "repeated": 0, "id": 2300 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\FolderTypeID" } ], "repeated": 0, "id": 2301 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\InitFolderHandler" } ], "repeated": 0, "id": 2302 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PropertyBag" } ], "repeated": 0, "id": 2303 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 2304 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2305 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2306 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000370" }, { "name": "ObjectAttributesName", "value": "{18989B1D-99B5-455B-841C-AB7C74E4DDFC}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}" } ], "repeated": 0, "id": 2307 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 2308 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Category" } ], "repeated": 0, "id": 2309 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "My Video" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Name" } ], "repeated": 0, "id": 2310 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\ParentFolder" } ], "repeated": 0, "id": 2311 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Description" } ], "repeated": 0, "id": 2312 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Videos" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\RelativePath" } ], "repeated": 0, "id": 2313 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\ParsingName" } ], "repeated": 0, "id": 2314 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{A0953C92-50DC-43BF-BE83-3742FED03C9C}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\ParsingName" } ], "repeated": 0, "id": 2315 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-12690" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\InfoTip" } ], "repeated": 0, "id": 2316 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-21791" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\LocalizedName" } ], "repeated": 0, "id": 2317 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-189" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Icon" } ], "repeated": 0, "id": 2318 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Security" } ], "repeated": 0, "id": 2319 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\StreamResource" } ], "repeated": 0, "id": 2320 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\StreamResourceType" } ], "repeated": 0, "id": 2321 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2322 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Roamable" } ], "repeated": 0, "id": 2323 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PreCreate" } ], "repeated": 0, "id": 2324 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Stream" } ], "repeated": 0, "id": 2325 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PublishExpandedPath" } ], "repeated": 0, "id": 2326 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\DefinitionFlags" } ], "repeated": 0, "id": 2327 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Attributes" } ], "repeated": 0, "id": 2328 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\FolderTypeID" } ], "repeated": 0, "id": 2329 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\InitFolderHandler" } ], "repeated": 0, "id": 2330 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PropertyBag" } ], "repeated": 0, "id": 2331 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2332 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 2333 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Hide" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 2334 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747be08d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000398" } ], "repeated": 0, "id": 2335 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x747be0b3", "parentcaller": "0x747be9b1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2336 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747be0d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2337 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xd3\\x9c\\xb8u\\x00\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\xc6\\xce\\xa4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x03\\x00\\x00\\xcc\\xf2\\xec\\x04p\\x07\\xbbu" } ], "repeated": 0, "id": 2338 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 2339 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 2340 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "DisablePersonalDirChange" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange" } ], "repeated": 0, "id": 2341 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a0" } ], "repeated": 0, "id": 2342 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747beb42", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000c" }, { "name": "TokenHandle", "value": "0x000003a0" } ], "repeated": 0, "id": 2343 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 2344 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2345 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 2346 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2347 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 2348 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747be1ec", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00P,g\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\xf2\\xec\\x04D&\\xb9u\\xff\\xff\\xff\\xff\\x0c\\x00\\x00\\x00L\\xf2\\xec\\x04" } ], "repeated": 0, "id": 2349 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2350 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" } ], "repeated": 0, "id": 2351 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747beba4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a0" } ], "repeated": 0, "id": 2352 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "DesiredAccess", "value": "0x00020006", "pretty_value": "KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 2353 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec02", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a0" } ], "repeated": 0, "id": 2354 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec1e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2355 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2356 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2357 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2358 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2359 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}" } ], "repeated": 0, "id": 2360 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2361 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Category" } ], "repeated": 0, "id": 2362 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Quick Launch" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Name" } ], "repeated": 0, "id": 2363 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\ParentFolder" } ], "repeated": 0, "id": 2364 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Description" } ], "repeated": 0, "id": 2365 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Internet Explorer\\Quick Launch" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\RelativePath" } ], "repeated": 0, "id": 2366 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\ParsingName" } ], "repeated": 0, "id": 2367 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\InfoTip" } ], "repeated": 0, "id": 2368 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\LocalizedName" } ], "repeated": 0, "id": 2369 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Icon" } ], "repeated": 0, "id": 2370 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Security" } ], "repeated": 0, "id": 2371 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\StreamResource" } ], "repeated": 0, "id": 2372 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\StreamResourceType" } ], "repeated": 0, "id": 2373 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2374 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Roamable" } ], "repeated": 0, "id": 2375 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\PreCreate" } ], "repeated": 0, "id": 2376 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Stream" } ], "repeated": 0, "id": 2377 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\PublishExpandedPath" } ], "repeated": 0, "id": 2378 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\DefinitionFlags" } ], "repeated": 0, "id": 2379 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Attributes" } ], "repeated": 0, "id": 2380 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\FolderTypeID" } ], "repeated": 0, "id": 2381 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\InitFolderHandler" } ], "repeated": 0, "id": 2382 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003a0" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\PropertyBag" } ], "repeated": 0, "id": 2383 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a0" } ], "repeated": 0, "id": 2384 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2385 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2386 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003a0" }, { "name": "ObjectAttributesName", "value": "{DE974D24-D9C6-4D3E-BF91-F4455120B917}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}" } ], "repeated": 0, "id": 2387 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a0" } ], "repeated": 0, "id": 2388 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Category" } ], "repeated": 0, "id": 2389 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "ProgramFilesCommonX86" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Name" } ], "repeated": 0, "id": 2390 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\ParentFolder" } ], "repeated": 0, "id": 2391 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Description" } ], "repeated": 0, "id": 2392 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\RelativePath" } ], "repeated": 0, "id": 2393 }, { "timestamp": "2026-06-29 22:15:01,547", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\ParsingName" } ], "repeated": 0, "id": 2394 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\InfoTip" } ], "repeated": 0, "id": 2395 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\LocalizedName" } ], "repeated": 0, "id": 2396 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Icon" } ], "repeated": 0, "id": 2397 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Security" } ], "repeated": 0, "id": 2398 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\StreamResource" } ], "repeated": 0, "id": 2399 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\StreamResourceType" } ], "repeated": 0, "id": 2400 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2401 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Roamable" } ], "repeated": 0, "id": 2402 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\PreCreate" } ], "repeated": 0, "id": 2403 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Stream" } ], "repeated": 0, "id": 2404 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\PublishExpandedPath" } ], "repeated": 0, "id": 2405 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\DefinitionFlags" } ], "repeated": 0, "id": 2406 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Attributes" } ], "repeated": 0, "id": 2407 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\FolderTypeID" } ], "repeated": 0, "id": 2408 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\InitFolderHandler" } ], "repeated": 0, "id": 2409 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\PropertyBag" } ], "repeated": 0, "id": 2410 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2411 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2412 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2413 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{31C0DD25-9439-4F12-BF41-7FF4EDA38722}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}" } ], "repeated": 0, "id": 2414 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2415 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Category" } ], "repeated": 0, "id": 2416 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "3D Objects" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Name" } ], "repeated": 0, "id": 2417 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{5E6C858F-0E22-4760-9AFE-EA3317B67173}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\ParentFolder" } ], "repeated": 0, "id": 2418 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Description" } ], "repeated": 0, "id": 2419 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "3D Objects" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\RelativePath" } ], "repeated": 0, "id": 2420 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\ParsingName" } ], "repeated": 0, "id": 2421 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\InfoTip" } ], "repeated": 0, "id": 2422 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-21825" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\LocalizedName" } ], "repeated": 0, "id": 2423 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-198" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Icon" } ], "repeated": 0, "id": 2424 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Security" } ], "repeated": 0, "id": 2425 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\StreamResource" } ], "repeated": 0, "id": 2426 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\StreamResourceType" } ], "repeated": 0, "id": 2427 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2428 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Roamable" } ], "repeated": 0, "id": 2429 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\PreCreate" } ], "repeated": 0, "id": 2430 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Stream" } ], "repeated": 0, "id": 2431 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\PublishExpandedPath" } ], "repeated": 0, "id": 2432 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\DefinitionFlags" } ], "repeated": 0, "id": 2433 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Attributes" } ], "repeated": 0, "id": 2434 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{b3690e58-e961-423b-b687-386ebfd83239}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\FolderTypeID" } ], "repeated": 0, "id": 2435 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\InitFolderHandler" } ], "repeated": 0, "id": 2436 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003a4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\PropertyBag" } ], "repeated": 0, "id": 2437 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 2438 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2439 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" } ], "repeated": 0, "id": 2440 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2441 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 2442 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2443 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 2444 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003a4" } ], "repeated": 0, "id": 2445 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2446 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "H\\xf0\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2447 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 2448 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 2449 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2450 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "L\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff\\xcc\\xee\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0st\\xf0\\xee\\xec\\x04\\xec\\xee\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 2451 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 2452 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 2453 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2454 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "{31C0DD25-9439-4F12-BF41-7FF4EDA38722}" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}" } ], "repeated": 0, "id": 2455 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747ba61c", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000398" } ], "repeated": 0, "id": 2456 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747ba7ad", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8,g\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2457 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2458 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 2459 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 2460 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "C:\\Users\\Rajesh" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 2461 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x740d8463", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2462 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747ba66b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2463 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 2464 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 2465 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2466 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2467 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003a8" }, { "name": "ObjectAttributesName", "value": "{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}" } ], "repeated": 0, "id": 2468 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 2469 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Category" } ], "repeated": 0, "id": 2470 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "ConnectionsFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Name" } ], "repeated": 0, "id": 2471 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\ParentFolder" } ], "repeated": 0, "id": 2472 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Description" } ], "repeated": 0, "id": 2473 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\RelativePath" } ], "repeated": 0, "id": 2474 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\ParsingName" } ], "repeated": 0, "id": 2475 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\ParsingName" } ], "repeated": 0, "id": 2476 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\InfoTip" } ], "repeated": 0, "id": 2477 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\LocalizedName" } ], "repeated": 0, "id": 2478 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Icon" } ], "repeated": 0, "id": 2479 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Security" } ], "repeated": 0, "id": 2480 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\StreamResource" } ], "repeated": 0, "id": 2481 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\StreamResourceType" } ], "repeated": 0, "id": 2482 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2483 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Roamable" } ], "repeated": 0, "id": 2484 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\PreCreate" } ], "repeated": 0, "id": 2485 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Stream" } ], "repeated": 0, "id": 2486 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\PublishExpandedPath" } ], "repeated": 0, "id": 2487 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\DefinitionFlags" } ], "repeated": 0, "id": 2488 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Attributes" } ], "repeated": 0, "id": 2489 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\FolderTypeID" } ], "repeated": 0, "id": 2490 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\InitFolderHandler" } ], "repeated": 0, "id": 2491 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003a4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\PropertyBag" } ], "repeated": 0, "id": 2492 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 2493 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2494 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2495 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003a4" }, { "name": "ObjectAttributesName", "value": "{76FC4E2D-D6AD-4519-A663-37BD56068185}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}" } ], "repeated": 0, "id": 2496 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 2497 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Category" } ], "repeated": 0, "id": 2498 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "PrintersFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Name" } ], "repeated": 0, "id": 2499 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\ParentFolder" } ], "repeated": 0, "id": 2500 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Description" } ], "repeated": 0, "id": 2501 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\RelativePath" } ], "repeated": 0, "id": 2502 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\ParsingName" } ], "repeated": 0, "id": 2503 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{21EC2020-3AEA-1069-A2DD-08002B30309D}\\::{2227A280-3AEA-1069-A2DE-08002B30309D}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\ParsingName" } ], "repeated": 0, "id": 2504 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\InfoTip" } ], "repeated": 0, "id": 2505 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\LocalizedName" } ], "repeated": 0, "id": 2506 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Icon" } ], "repeated": 0, "id": 2507 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Security" } ], "repeated": 0, "id": 2508 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\StreamResource" } ], "repeated": 0, "id": 2509 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\StreamResourceType" } ], "repeated": 0, "id": 2510 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2511 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Roamable" } ], "repeated": 0, "id": 2512 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\PreCreate" } ], "repeated": 0, "id": 2513 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Stream" } ], "repeated": 0, "id": 2514 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\PublishExpandedPath" } ], "repeated": 0, "id": 2515 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\DefinitionFlags" } ], "repeated": 0, "id": 2516 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Attributes" } ], "repeated": 0, "id": 2517 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\FolderTypeID" } ], "repeated": 0, "id": 2518 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\InitFolderHandler" } ], "repeated": 0, "id": 2519 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003a8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\PropertyBag" } ], "repeated": 0, "id": 2520 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 2521 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2522 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2523 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003a8" }, { "name": "ObjectAttributesName", "value": "{491E922F-5643-4AF4-A7EB-4E7A138D8174}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4AF4-A7EB-4E7A138D8174}" } ], "repeated": 0, "id": 2524 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 2525 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Category" } ], "repeated": 0, "id": 2526 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "VideosLibrary" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Name" } ], "repeated": 0, "id": 2527 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\ParentFolder" } ], "repeated": 0, "id": 2528 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Description" } ], "repeated": 0, "id": 2529 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Videos.library-ms" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\RelativePath" } ], "repeated": 0, "id": 2530 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\ParsingName" } ], "repeated": 0, "id": 2531 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\{491E922F-5643-4af4-A7EB-4E7A138D8174}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\ParsingName" } ], "repeated": 0, "id": 2532 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-12690" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\InfoTip" } ], "repeated": 0, "id": 2533 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-34620" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\LocalizedName" } ], "repeated": 0, "id": 2534 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-1005" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Icon" } ], "repeated": 0, "id": 2535 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Security" } ], "repeated": 0, "id": 2536 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\shell32.dll,-4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\StreamResource" } ], "repeated": 0, "id": 2537 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "LIBRARY" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\StreamResourceType" } ], "repeated": 0, "id": 2538 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2539 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Roamable" } ], "repeated": 0, "id": 2540 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\PreCreate" } ], "repeated": 0, "id": 2541 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Stream" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Stream" } ], "repeated": 0, "id": 2542 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\PublishExpandedPath" } ], "repeated": 0, "id": 2543 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\DefinitionFlags" } ], "repeated": 0, "id": 2544 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Attributes" } ], "repeated": 0, "id": 2545 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\FolderTypeID" } ], "repeated": 0, "id": 2546 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\InitFolderHandler" } ], "repeated": 0, "id": 2547 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003a4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\PropertyBag" } ], "repeated": 0, "id": 2548 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 2549 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2550 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2551 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003a4" }, { "name": "ObjectAttributesName", "value": "{33E28130-4E1E-4676-835A-98395C3BC3BB}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}" } ], "repeated": 0, "id": 2552 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 2553 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Category" } ], "repeated": 0, "id": 2554 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "My Pictures" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Name" } ], "repeated": 0, "id": 2555 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\ParentFolder" } ], "repeated": 0, "id": 2556 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Description" } ], "repeated": 0, "id": 2557 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Pictures" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\RelativePath" } ], "repeated": 0, "id": 2558 }, { "timestamp": "2026-06-29 22:15:01,562", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\ParsingName" } ], "repeated": 0, "id": 2559 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\ParsingName" } ], "repeated": 0, "id": 2560 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-12688" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\InfoTip" } ], "repeated": 0, "id": 2561 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-21779" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\LocalizedName" } ], "repeated": 0, "id": 2562 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-113" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Icon" } ], "repeated": 0, "id": 2563 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Security" } ], "repeated": 0, "id": 2564 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\StreamResource" } ], "repeated": 0, "id": 2565 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\StreamResourceType" } ], "repeated": 0, "id": 2566 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2567 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Roamable" } ], "repeated": 0, "id": 2568 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PreCreate" } ], "repeated": 0, "id": 2569 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Stream" } ], "repeated": 0, "id": 2570 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PublishExpandedPath" } ], "repeated": 0, "id": 2571 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\DefinitionFlags" } ], "repeated": 0, "id": 2572 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Attributes" } ], "repeated": 0, "id": 2573 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\FolderTypeID" } ], "repeated": 0, "id": 2574 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\InitFolderHandler" } ], "repeated": 0, "id": 2575 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PropertyBag" } ], "repeated": 0, "id": 2576 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2577 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 2578 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a4" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Hide" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 2579 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747be08d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000398" } ], "repeated": 0, "id": 2580 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x747be0b3", "parentcaller": "0x747be9b1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2581 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747be0d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2582 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xd3\\x9c\\xb8u\\x00\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\xc6\\xce\\xa4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x03\\x00\\x00\\xcc\\xf2\\xec\\x04p\\x07\\xbbu" } ], "repeated": 0, "id": 2583 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 2584 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 2585 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "DisablePersonalDirChange" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange" } ], "repeated": 0, "id": 2586 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2587 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747beb42", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000c" }, { "name": "TokenHandle", "value": "0x000003ac" } ], "repeated": 0, "id": 2588 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 2589 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2590 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 2591 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2592 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 2593 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747be1ec", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00X*g\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\xf2\\xec\\x04D&\\xb9u\\xff\\xff\\xff\\xff\\x0c\\x00\\x00\\x00L\\xf2\\xec\\x04" } ], "repeated": 0, "id": 2594 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2595 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" } ], "repeated": 0, "id": 2596 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747beba4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2597 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020006", "pretty_value": "KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 2598 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec02", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2599 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec1e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2600 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2601 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2602 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{8AD10C31-2ADB-4296-A8F7-E4701232C972}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}" } ], "repeated": 0, "id": 2603 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2604 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Category" } ], "repeated": 0, "id": 2605 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "ResourceDir" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Name" } ], "repeated": 0, "id": 2606 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\ParentFolder" } ], "repeated": 0, "id": 2607 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Description" } ], "repeated": 0, "id": 2608 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\RelativePath" } ], "repeated": 0, "id": 2609 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\ParsingName" } ], "repeated": 0, "id": 2610 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\InfoTip" } ], "repeated": 0, "id": 2611 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\LocalizedName" } ], "repeated": 0, "id": 2612 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Icon" } ], "repeated": 0, "id": 2613 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Security" } ], "repeated": 0, "id": 2614 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\StreamResource" } ], "repeated": 0, "id": 2615 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\StreamResourceType" } ], "repeated": 0, "id": 2616 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2617 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Roamable" } ], "repeated": 0, "id": 2618 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\PreCreate" } ], "repeated": 0, "id": 2619 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Stream" } ], "repeated": 0, "id": 2620 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\PublishExpandedPath" } ], "repeated": 0, "id": 2621 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\DefinitionFlags" } ], "repeated": 0, "id": 2622 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Attributes" } ], "repeated": 0, "id": 2623 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\FolderTypeID" } ], "repeated": 0, "id": 2624 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\InitFolderHandler" } ], "repeated": 0, "id": 2625 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ac" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\PropertyBag" } ], "repeated": 0, "id": 2626 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2627 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2628 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2629 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ac" }, { "name": "ObjectAttributesName", "value": "{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}" } ], "repeated": 0, "id": 2630 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2631 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Category" } ], "repeated": 0, "id": 2632 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Common Startup" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Name" } ], "repeated": 0, "id": 2633 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParentFolder" } ], "repeated": 0, "id": 2634 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Description" } ], "repeated": 0, "id": 2635 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "StartUp" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\RelativePath" } ], "repeated": 0, "id": 2636 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParsingName" } ], "repeated": 0, "id": 2637 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\InfoTip" } ], "repeated": 0, "id": 2638 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21787" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\LocalizedName" } ], "repeated": 0, "id": 2639 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Icon" } ], "repeated": 0, "id": 2640 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Security" } ], "repeated": 0, "id": 2641 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\StreamResource" } ], "repeated": 0, "id": 2642 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\StreamResourceType" } ], "repeated": 0, "id": 2643 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2644 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Roamable" } ], "repeated": 0, "id": 2645 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\PreCreate" } ], "repeated": 0, "id": 2646 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Stream" } ], "repeated": 0, "id": 2647 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\PublishExpandedPath" } ], "repeated": 0, "id": 2648 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\DefinitionFlags" } ], "repeated": 0, "id": 2649 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Attributes" } ], "repeated": 0, "id": 2650 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\FolderTypeID" } ], "repeated": 0, "id": 2651 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\InitFolderHandler" } ], "repeated": 0, "id": 2652 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\PropertyBag" } ], "repeated": 0, "id": 2653 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2654 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2655 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2656 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{DEBF2536-E1A8-4C59-B6A2-414586476AEA}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4C59-B6A2-414586476AEA}" } ], "repeated": 0, "id": 2657 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2658 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Category" } ], "repeated": 0, "id": 2659 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "PublicGameTasks" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Name" } ], "repeated": 0, "id": 2660 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\ParentFolder" } ], "repeated": 0, "id": 2661 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Description" } ], "repeated": 0, "id": 2662 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\GameExplorer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\RelativePath" } ], "repeated": 0, "id": 2663 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\ParsingName" } ], "repeated": 0, "id": 2664 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\InfoTip" } ], "repeated": 0, "id": 2665 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\LocalizedName" } ], "repeated": 0, "id": 2666 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Icon" } ], "repeated": 0, "id": 2667 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Security" } ], "repeated": 0, "id": 2668 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\StreamResource" } ], "repeated": 0, "id": 2669 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\StreamResourceType" } ], "repeated": 0, "id": 2670 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2671 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Roamable" } ], "repeated": 0, "id": 2672 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\PreCreate" } ], "repeated": 0, "id": 2673 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Stream" } ], "repeated": 0, "id": 2674 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\PublishExpandedPath" } ], "repeated": 0, "id": 2675 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\DefinitionFlags" } ], "repeated": 0, "id": 2676 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Attributes" } ], "repeated": 0, "id": 2677 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\FolderTypeID" } ], "repeated": 0, "id": 2678 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\InitFolderHandler" } ], "repeated": 0, "id": 2679 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ac" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\PropertyBag" } ], "repeated": 0, "id": 2680 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2681 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2682 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2683 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ac" }, { "name": "ObjectAttributesName", "value": "{0F214138-B1D3-4A90-BBA9-27CBC0C5389A}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4A90-BBA9-27CBC0C5389A}" } ], "repeated": 0, "id": 2684 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2685 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Category" } ], "repeated": 0, "id": 2686 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "SyncSetupFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Name" } ], "repeated": 0, "id": 2687 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\ParentFolder" } ], "repeated": 0, "id": 2688 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Description" } ], "repeated": 0, "id": 2689 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\RelativePath" } ], "repeated": 0, "id": 2690 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\ParsingName" } ], "repeated": 0, "id": 2691 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\\::{F1390A9A-A3F4-4E5D-9C5F-98F3BD8D935C}," }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\ParsingName" } ], "repeated": 0, "id": 2692 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\InfoTip" } ], "repeated": 0, "id": 2693 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\LocalizedName" } ], "repeated": 0, "id": 2694 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Icon" } ], "repeated": 0, "id": 2695 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Security" } ], "repeated": 0, "id": 2696 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\StreamResource" } ], "repeated": 0, "id": 2697 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\StreamResourceType" } ], "repeated": 0, "id": 2698 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2699 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Roamable" } ], "repeated": 0, "id": 2700 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\PreCreate" } ], "repeated": 0, "id": 2701 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Stream" } ], "repeated": 0, "id": 2702 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\PublishExpandedPath" } ], "repeated": 0, "id": 2703 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\DefinitionFlags" } ], "repeated": 0, "id": 2704 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Attributes" } ], "repeated": 0, "id": 2705 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\FolderTypeID" } ], "repeated": 0, "id": 2706 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\InitFolderHandler" } ], "repeated": 0, "id": 2707 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\PropertyBag" } ], "repeated": 0, "id": 2708 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2709 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2710 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2711 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{2400183A-6185-49FB-A2D8-4A392A602BA3}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}" } ], "repeated": 0, "id": 2712 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2713 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Category" } ], "repeated": 0, "id": 2714 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "CommonVideo" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Name" } ], "repeated": 0, "id": 2715 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\ParentFolder" } ], "repeated": 0, "id": 2716 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Description" } ], "repeated": 0, "id": 2717 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Videos" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\RelativePath" } ], "repeated": 0, "id": 2718 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\ParsingName" } ], "repeated": 0, "id": 2719 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-12690" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\InfoTip" } ], "repeated": 0, "id": 2720 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21804" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\LocalizedName" } ], "repeated": 0, "id": 2721 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Icon" } ], "repeated": 0, "id": 2722 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Security" } ], "repeated": 0, "id": 2723 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\StreamResource" } ], "repeated": 0, "id": 2724 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\StreamResourceType" } ], "repeated": 0, "id": 2725 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2726 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Roamable" } ], "repeated": 0, "id": 2727 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\PreCreate" } ], "repeated": 0, "id": 2728 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Stream" } ], "repeated": 0, "id": 2729 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\PublishExpandedPath" } ], "repeated": 0, "id": 2730 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\DefinitionFlags" } ], "repeated": 0, "id": 2731 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Attributes" } ], "repeated": 0, "id": 2732 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\FolderTypeID" } ], "repeated": 0, "id": 2733 }, { "timestamp": "2026-06-29 22:15:01,578", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\InitFolderHandler" } ], "repeated": 0, "id": 2734 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ac" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\PropertyBag" } ], "repeated": 0, "id": 2735 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2736 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000036c" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 2737 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2738 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" } ], "repeated": 0, "id": 2739 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2740 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 2741 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2742 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 2743 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2744 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2745 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ac" }, { "name": "ObjectAttributesName", "value": "{D9DC8A3B-B784-432E-A781-5A1130A75963}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}" } ], "repeated": 0, "id": 2746 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2747 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Category" } ], "repeated": 0, "id": 2748 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "History" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Name" } ], "repeated": 0, "id": 2749 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\ParentFolder" } ], "repeated": 0, "id": 2750 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Description" } ], "repeated": 0, "id": 2751 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\History" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\RelativePath" } ], "repeated": 0, "id": 2752 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\ParsingName" } ], "repeated": 0, "id": 2753 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\InfoTip" } ], "repeated": 0, "id": 2754 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\LocalizedName" } ], "repeated": 0, "id": 2755 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Icon" } ], "repeated": 0, "id": 2756 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Security" } ], "repeated": 0, "id": 2757 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\StreamResource" } ], "repeated": 0, "id": 2758 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\StreamResourceType" } ], "repeated": 0, "id": 2759 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2760 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Roamable" } ], "repeated": 0, "id": 2761 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\PreCreate" } ], "repeated": 0, "id": 2762 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Stream" } ], "repeated": 0, "id": 2763 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\PublishExpandedPath" } ], "repeated": 0, "id": 2764 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\DefinitionFlags" } ], "repeated": 0, "id": 2765 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Attributes" } ], "repeated": 0, "id": 2766 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\FolderTypeID" } ], "repeated": 0, "id": 2767 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\InitFolderHandler" } ], "repeated": 0, "id": 2768 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\PropertyBag" } ], "repeated": 0, "id": 2769 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2770 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2771 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2772 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{C4900540-2379-4C75-844B-64E6FAF8716B}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4900540-2379-4C75-844B-64E6FAF8716B}" } ], "repeated": 0, "id": 2773 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2774 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2775 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2776 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{289A9A43-BE44-4057-A41B-587A76D7E7F9}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}" } ], "repeated": 0, "id": 2777 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2778 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Category" } ], "repeated": 0, "id": 2779 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "SyncResultsFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Name" } ], "repeated": 0, "id": 2780 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\ParentFolder" } ], "repeated": 0, "id": 2781 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Description" } ], "repeated": 0, "id": 2782 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\RelativePath" } ], "repeated": 0, "id": 2783 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\ParsingName" } ], "repeated": 0, "id": 2784 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\\::{BC48B32F-5910-47F5-8570-5074A8A5636A}," }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\ParsingName" } ], "repeated": 0, "id": 2785 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\InfoTip" } ], "repeated": 0, "id": 2786 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\LocalizedName" } ], "repeated": 0, "id": 2787 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Icon" } ], "repeated": 0, "id": 2788 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Security" } ], "repeated": 0, "id": 2789 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\StreamResource" } ], "repeated": 0, "id": 2790 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\StreamResourceType" } ], "repeated": 0, "id": 2791 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2792 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Roamable" } ], "repeated": 0, "id": 2793 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\PreCreate" } ], "repeated": 0, "id": 2794 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Stream" } ], "repeated": 0, "id": 2795 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\PublishExpandedPath" } ], "repeated": 0, "id": 2796 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\DefinitionFlags" } ], "repeated": 0, "id": 2797 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Attributes" } ], "repeated": 0, "id": 2798 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\FolderTypeID" } ], "repeated": 0, "id": 2799 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\InitFolderHandler" } ], "repeated": 0, "id": 2800 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ac" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\PropertyBag" } ], "repeated": 0, "id": 2801 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2802 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2803 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2804 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ac" }, { "name": "ObjectAttributesName", "value": "{4BFEFB45-347D-4006-A5BE-AC0CB0567192}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}" } ], "repeated": 0, "id": 2805 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2806 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Category" } ], "repeated": 0, "id": 2807 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "ConflictFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Name" } ], "repeated": 0, "id": 2808 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\ParentFolder" } ], "repeated": 0, "id": 2809 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Description" } ], "repeated": 0, "id": 2810 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\RelativePath" } ], "repeated": 0, "id": 2811 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\ParsingName" } ], "repeated": 0, "id": 2812 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\\::{E413D040-6788-4C22-957E-175D1C513A34}," }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\ParsingName" } ], "repeated": 0, "id": 2813 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\InfoTip" } ], "repeated": 0, "id": 2814 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\LocalizedName" } ], "repeated": 0, "id": 2815 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Icon" } ], "repeated": 0, "id": 2816 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Security" } ], "repeated": 0, "id": 2817 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\StreamResource" } ], "repeated": 0, "id": 2818 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\StreamResourceType" } ], "repeated": 0, "id": 2819 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2820 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Roamable" } ], "repeated": 0, "id": 2821 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\PreCreate" } ], "repeated": 0, "id": 2822 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Stream" } ], "repeated": 0, "id": 2823 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\PublishExpandedPath" } ], "repeated": 0, "id": 2824 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\DefinitionFlags" } ], "repeated": 0, "id": 2825 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Attributes" } ], "repeated": 0, "id": 2826 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\FolderTypeID" } ], "repeated": 0, "id": 2827 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\InitFolderHandler" } ], "repeated": 0, "id": 2828 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\PropertyBag" } ], "repeated": 0, "id": 2829 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2830 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2831 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2832 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}" } ], "repeated": 0, "id": 2833 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2834 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Category" } ], "repeated": 0, "id": 2835 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "RecycleBinFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Name" } ], "repeated": 0, "id": 2836 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\ParentFolder" } ], "repeated": 0, "id": 2837 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Description" } ], "repeated": 0, "id": 2838 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\RelativePath" } ], "repeated": 0, "id": 2839 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{645FF040-5081-101B-9F08-00AA002F954E}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\ParsingName" } ], "repeated": 0, "id": 2840 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\InfoTip" } ], "repeated": 0, "id": 2841 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\LocalizedName" } ], "repeated": 0, "id": 2842 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Icon" } ], "repeated": 0, "id": 2843 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Security" } ], "repeated": 0, "id": 2844 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\StreamResource" } ], "repeated": 0, "id": 2845 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\StreamResourceType" } ], "repeated": 0, "id": 2846 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2847 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Roamable" } ], "repeated": 0, "id": 2848 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\PreCreate" } ], "repeated": 0, "id": 2849 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Stream" } ], "repeated": 0, "id": 2850 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\PublishExpandedPath" } ], "repeated": 0, "id": 2851 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\DefinitionFlags" } ], "repeated": 0, "id": 2852 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Attributes" } ], "repeated": 0, "id": 2853 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\FolderTypeID" } ], "repeated": 0, "id": 2854 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\InitFolderHandler" } ], "repeated": 0, "id": 2855 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ac" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\PropertyBag" } ], "repeated": 0, "id": 2856 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2857 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2858 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2859 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ac" }, { "name": "ObjectAttributesName", "value": "{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}" } ], "repeated": 0, "id": 2860 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2861 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Category" } ], "repeated": 0, "id": 2862 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "CSCFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Name" } ], "repeated": 0, "id": 2863 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\ParentFolder" } ], "repeated": 0, "id": 2864 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Description" } ], "repeated": 0, "id": 2865 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\RelativePath" } ], "repeated": 0, "id": 2866 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "shell:::{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\*" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\ParsingName" } ], "repeated": 0, "id": 2867 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\InfoTip" } ], "repeated": 0, "id": 2868 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\LocalizedName" } ], "repeated": 0, "id": 2869 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Icon" } ], "repeated": 0, "id": 2870 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Security" } ], "repeated": 0, "id": 2871 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\StreamResource" } ], "repeated": 0, "id": 2872 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\StreamResourceType" } ], "repeated": 0, "id": 2873 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2874 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Roamable" } ], "repeated": 0, "id": 2875 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\PreCreate" } ], "repeated": 0, "id": 2876 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Stream" } ], "repeated": 0, "id": 2877 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\PublishExpandedPath" } ], "repeated": 0, "id": 2878 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\DefinitionFlags" } ], "repeated": 0, "id": 2879 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Attributes" } ], "repeated": 0, "id": 2880 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\FolderTypeID" } ], "repeated": 0, "id": 2881 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\InitFolderHandler" } ], "repeated": 0, "id": 2882 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\PropertyBag" } ], "repeated": 0, "id": 2883 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2884 }, { "timestamp": "2026-06-29 22:15:01,593", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2885 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2886 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{C870044B-F49E-4126-A9C3-B52A1FF411E8}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}" } ], "repeated": 0, "id": 2887 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2888 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Category" } ], "repeated": 0, "id": 2889 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Ringtones" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Name" } ], "repeated": 0, "id": 2890 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\ParentFolder" } ], "repeated": 0, "id": 2891 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Description" } ], "repeated": 0, "id": 2892 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\Ringtones" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\RelativePath" } ], "repeated": 0, "id": 2893 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\ParsingName" } ], "repeated": 0, "id": 2894 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\InfoTip" } ], "repeated": 0, "id": 2895 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\LocalizedName" } ], "repeated": 0, "id": 2896 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Icon" } ], "repeated": 0, "id": 2897 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Security" } ], "repeated": 0, "id": 2898 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\StreamResource" } ], "repeated": 0, "id": 2899 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\StreamResourceType" } ], "repeated": 0, "id": 2900 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2901 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Roamable" } ], "repeated": 0, "id": 2902 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\PreCreate" } ], "repeated": 0, "id": 2903 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Stream" } ], "repeated": 0, "id": 2904 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\PublishExpandedPath" } ], "repeated": 0, "id": 2905 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\DefinitionFlags" } ], "repeated": 0, "id": 2906 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Attributes" } ], "repeated": 0, "id": 2907 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\FolderTypeID" } ], "repeated": 0, "id": 2908 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\InitFolderHandler" } ], "repeated": 0, "id": 2909 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ac" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\PropertyBag" } ], "repeated": 0, "id": 2910 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2911 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2912 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2913 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ac" }, { "name": "ObjectAttributesName", "value": "{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}" } ], "repeated": 0, "id": 2914 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2915 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Category" } ], "repeated": 0, "id": 2916 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Common Programs" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Name" } ], "repeated": 0, "id": 2917 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{A4115719-D62E-491D-AA7C-E74B8BE3B067}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\ParentFolder" } ], "repeated": 0, "id": 2918 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Description" } ], "repeated": 0, "id": 2919 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Programs" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\RelativePath" } ], "repeated": 0, "id": 2920 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\ParsingName" } ], "repeated": 0, "id": 2921 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\InfoTip" } ], "repeated": 0, "id": 2922 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21782" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\LocalizedName" } ], "repeated": 0, "id": 2923 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Icon" } ], "repeated": 0, "id": 2924 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Security" } ], "repeated": 0, "id": 2925 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\StreamResource" } ], "repeated": 0, "id": 2926 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\StreamResourceType" } ], "repeated": 0, "id": 2927 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2928 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Roamable" } ], "repeated": 0, "id": 2929 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\PreCreate" } ], "repeated": 0, "id": 2930 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Stream" } ], "repeated": 0, "id": 2931 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\PublishExpandedPath" } ], "repeated": 0, "id": 2932 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\DefinitionFlags" } ], "repeated": 0, "id": 2933 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Attributes" } ], "repeated": 0, "id": 2934 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\FolderTypeID" } ], "repeated": 0, "id": 2935 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\InitFolderHandler" } ], "repeated": 0, "id": 2936 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\PropertyBag" } ], "repeated": 0, "id": 2937 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2938 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2939 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2940 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{C5ABBF53-E17F-4121-8900-86626FC2C973}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}" } ], "repeated": 0, "id": 2941 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2942 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Category" } ], "repeated": 0, "id": 2943 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "NetHood" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Name" } ], "repeated": 0, "id": 2944 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\ParentFolder" } ], "repeated": 0, "id": 2945 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Description" } ], "repeated": 0, "id": 2946 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\Network Shortcuts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\RelativePath" } ], "repeated": 0, "id": 2947 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\ParsingName" } ], "repeated": 0, "id": 2948 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\InfoTip" } ], "repeated": 0, "id": 2949 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\LocalizedName" } ], "repeated": 0, "id": 2950 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Icon" } ], "repeated": 0, "id": 2951 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Security" } ], "repeated": 0, "id": 2952 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\StreamResource" } ], "repeated": 0, "id": 2953 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\StreamResourceType" } ], "repeated": 0, "id": 2954 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2955 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Roamable" } ], "repeated": 0, "id": 2956 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\PreCreate" } ], "repeated": 0, "id": 2957 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Stream" } ], "repeated": 0, "id": 2958 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\PublishExpandedPath" } ], "repeated": 0, "id": 2959 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\DefinitionFlags" } ], "repeated": 0, "id": 2960 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Attributes" } ], "repeated": 0, "id": 2961 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\FolderTypeID" } ], "repeated": 0, "id": 2962 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\InitFolderHandler" } ], "repeated": 0, "id": 2963 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ac" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\PropertyBag" } ], "repeated": 0, "id": 2964 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2965 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2966 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2967 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ac" }, { "name": "ObjectAttributesName", "value": "{56784854-C6CB-462B-8169-88E350ACB882}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}" } ], "repeated": 0, "id": 2968 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2969 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Category" } ], "repeated": 0, "id": 2970 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Contacts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Name" } ], "repeated": 0, "id": 2971 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\ParentFolder" } ], "repeated": 0, "id": 2972 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Description" } ], "repeated": 0, "id": 2973 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Contacts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\RelativePath" } ], "repeated": 0, "id": 2974 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\ParsingName" } ], "repeated": 0, "id": 2975 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\{56784854-C6CB-462B-8169-88E350ACB882}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\ParsingName" } ], "repeated": 0, "id": 2976 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%CommonProgramFiles%\\system\\wab32res.dll,-10200" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\InfoTip" } ], "repeated": 0, "id": 2977 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%CommonProgramFiles%\\system\\wab32res.dll,-10100" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\LocalizedName" } ], "repeated": 0, "id": 2978 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-181" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Icon" } ], "repeated": 0, "id": 2979 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Security" } ], "repeated": 0, "id": 2980 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\StreamResource" } ], "repeated": 0, "id": 2981 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\StreamResourceType" } ], "repeated": 0, "id": 2982 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2983 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Roamable" } ], "repeated": 0, "id": 2984 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\PreCreate" } ], "repeated": 0, "id": 2985 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Stream" } ], "repeated": 0, "id": 2986 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\PublishExpandedPath" } ], "repeated": 0, "id": 2987 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\DefinitionFlags" } ], "repeated": 0, "id": 2988 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Attributes" } ], "repeated": 0, "id": 2989 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{de2b70ec-9bf7-4a93-bd3d-243f7881d492}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\FolderTypeID" } ], "repeated": 0, "id": 2990 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\InitFolderHandler" } ], "repeated": 0, "id": 2991 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\PropertyBag" } ], "repeated": 0, "id": 2992 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2993 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 2994 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2995 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" } ], "repeated": 0, "id": 2996 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2997 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 2998 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2999 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 3000 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000398" } ], "repeated": 0, "id": 3001 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3002 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "H\\xf0\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3003 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 3004 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003b0" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 3005 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 3006 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "L\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff\\xcc\\xee\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0st\\xf0\\xee\\xec\\x04\\xec\\xee\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 3007 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 3008 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 3009 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 3010 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "{56784854-C6CB-462B-8169-88E350ACB882}" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{56784854-C6CB-462B-8169-88E350ACB882}" } ], "repeated": 0, "id": 3011 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747ba61c", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003b0" } ], "repeated": 0, "id": 3012 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747ba7ad", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x98.g\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3013 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3014 }, { "timestamp": "2026-06-29 22:15:01,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 3015 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 3016 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "C:\\Users\\Rajesh" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 3017 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x740d8463", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 3018 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747ba66b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 3019 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3020 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 3021 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3022 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3023 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b4" }, { "name": "ObjectAttributesName", "value": "{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}" } ], "repeated": 0, "id": 3024 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 3025 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Category" } ], "repeated": 0, "id": 3026 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "UserProgramFilesCommon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Name" } ], "repeated": 0, "id": 3027 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{5cd7aee2-2219-4a67-b85d-6c9ce15660cb}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\ParentFolder" } ], "repeated": 0, "id": 3028 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Description" } ], "repeated": 0, "id": 3029 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Common" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\RelativePath" } ], "repeated": 0, "id": 3030 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\ParsingName" } ], "repeated": 0, "id": 3031 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\InfoTip" } ], "repeated": 0, "id": 3032 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\LocalizedName" } ], "repeated": 0, "id": 3033 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Icon" } ], "repeated": 0, "id": 3034 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Security" } ], "repeated": 0, "id": 3035 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\StreamResource" } ], "repeated": 0, "id": 3036 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\StreamResourceType" } ], "repeated": 0, "id": 3037 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3038 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Roamable" } ], "repeated": 0, "id": 3039 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\PreCreate" } ], "repeated": 0, "id": 3040 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Stream" } ], "repeated": 0, "id": 3041 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\PublishExpandedPath" } ], "repeated": 0, "id": 3042 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\DefinitionFlags" } ], "repeated": 0, "id": 3043 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Attributes" } ], "repeated": 0, "id": 3044 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\FolderTypeID" } ], "repeated": 0, "id": 3045 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\InitFolderHandler" } ], "repeated": 0, "id": 3046 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\PropertyBag" } ], "repeated": 0, "id": 3047 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3048 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3049 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3050 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{00BCFC5A-ED94-4E48-96A1-3F6217F21990}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4E48-96A1-3F6217F21990}" } ], "repeated": 0, "id": 3051 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3052 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Category" } ], "repeated": 0, "id": 3053 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Roaming Tiles" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Name" } ], "repeated": 0, "id": 3054 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\ParentFolder" } ], "repeated": 0, "id": 3055 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Description" } ], "repeated": 0, "id": 3056 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\RoamingTiles" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\RelativePath" } ], "repeated": 0, "id": 3057 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\ParsingName" } ], "repeated": 0, "id": 3058 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\InfoTip" } ], "repeated": 0, "id": 3059 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\LocalizedName" } ], "repeated": 0, "id": 3060 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Icon" } ], "repeated": 0, "id": 3061 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Security" } ], "repeated": 0, "id": 3062 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\StreamResource" } ], "repeated": 0, "id": 3063 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\StreamResourceType" } ], "repeated": 0, "id": 3064 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3065 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Roamable" } ], "repeated": 0, "id": 3066 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\PreCreate" } ], "repeated": 0, "id": 3067 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Stream" } ], "repeated": 0, "id": 3068 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\PublishExpandedPath" } ], "repeated": 0, "id": 3069 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\DefinitionFlags" } ], "repeated": 0, "id": 3070 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Attributes" } ], "repeated": 0, "id": 3071 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\FolderTypeID" } ], "repeated": 0, "id": 3072 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\InitFolderHandler" } ], "repeated": 0, "id": 3073 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\PropertyBag" } ], "repeated": 0, "id": 3074 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 3075 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000388" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 3076 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000388" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Show" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 3077 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000388" }, { "name": "ValueName", "value": "BaseFolderId" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PropertyBag\\BaseFolderId" } ], "repeated": 0, "id": 3078 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000388" }, { "name": "ValueName", "value": "BaseFolderId" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{33E28130-4E1E-4676-835A-98395C3BC3BB}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PropertyBag\\BaseFolderId" } ], "repeated": 0, "id": 3079 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747be08d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003b4" } ], "repeated": 0, "id": 3080 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x747be0b3", "parentcaller": "0x747be9b1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3081 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747be0d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 3082 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xd3\\x9c\\xb8u\\x00\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\xc6\\xce\\xa4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb4\\x03\\x00\\x00\\xcc\\xf2\\xec\\x04p\\x07\\xbbu" } ], "repeated": 0, "id": 3083 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 3084 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003b4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3085 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DisablePersonalDirChange" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange" } ], "repeated": 0, "id": 3086 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3087 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747beb42", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000c" }, { "name": "TokenHandle", "value": "0x00000398" } ], "repeated": 0, "id": 3088 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 3089 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3090 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 3091 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3092 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 3093 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747be1ec", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xe0,g\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\xf2\\xec\\x04D&\\xb9u\\xff\\xff\\xff\\xff\\x0c\\x00\\x00\\x00L\\xf2\\xec\\x04" } ], "repeated": 0, "id": 3094 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3095 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" } ], "repeated": 0, "id": 3096 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747beba4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3097 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020006", "pretty_value": "KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000003b4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 3098 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec02", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3099 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec1e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 3100 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3101 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" } ], "repeated": 0, "id": 3102 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3103 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 3104 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3105 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 3106 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3107 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3108 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b4" }, { "name": "ObjectAttributesName", "value": "{A302545D-DEFF-464B-ABE8-61C8648D939B}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464B-ABE8-61C8648D939B}" } ], "repeated": 0, "id": 3109 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 3110 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Category" } ], "repeated": 0, "id": 3111 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "UsersLibrariesFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Name" } ], "repeated": 0, "id": 3112 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\ParentFolder" } ], "repeated": 0, "id": 3113 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Description" } ], "repeated": 0, "id": 3114 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\RelativePath" } ], "repeated": 0, "id": 3115 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{031E4825-7B94-4dc3-B131-E946B44C8DD5}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\ParsingName" } ], "repeated": 0, "id": 3116 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\InfoTip" } ], "repeated": 0, "id": 3117 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\LocalizedName" } ], "repeated": 0, "id": 3118 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Icon" } ], "repeated": 0, "id": 3119 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Security" } ], "repeated": 0, "id": 3120 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\StreamResource" } ], "repeated": 0, "id": 3121 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\StreamResourceType" } ], "repeated": 0, "id": 3122 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3123 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Roamable" } ], "repeated": 0, "id": 3124 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\PreCreate" } ], "repeated": 0, "id": 3125 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Stream" } ], "repeated": 0, "id": 3126 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\PublishExpandedPath" } ], "repeated": 0, "id": 3127 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\DefinitionFlags" } ], "repeated": 0, "id": 3128 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Attributes" } ], "repeated": 0, "id": 3129 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\FolderTypeID" } ], "repeated": 0, "id": 3130 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\InitFolderHandler" } ], "repeated": 0, "id": 3131 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\PropertyBag" } ], "repeated": 0, "id": 3132 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3133 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3134 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3135 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{2B0F765D-C0E9-4171-908E-08A611B84FF6}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}" } ], "repeated": 0, "id": 3136 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3137 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Category" } ], "repeated": 0, "id": 3138 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Cookies" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Name" } ], "repeated": 0, "id": 3139 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\ParentFolder" } ], "repeated": 0, "id": 3140 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Description" } ], "repeated": 0, "id": 3141 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\INetCookies" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\RelativePath" } ], "repeated": 0, "id": 3142 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\ParsingName" } ], "repeated": 0, "id": 3143 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\InfoTip" } ], "repeated": 0, "id": 3144 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\LocalizedName" } ], "repeated": 0, "id": 3145 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Icon" } ], "repeated": 0, "id": 3146 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Security" } ], "repeated": 0, "id": 3147 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\StreamResource" } ], "repeated": 0, "id": 3148 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\StreamResourceType" } ], "repeated": 0, "id": 3149 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3150 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Roamable" } ], "repeated": 0, "id": 3151 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\PreCreate" } ], "repeated": 0, "id": 3152 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Stream" } ], "repeated": 0, "id": 3153 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\PublishExpandedPath" } ], "repeated": 0, "id": 3154 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\DefinitionFlags" } ], "repeated": 0, "id": 3155 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Attributes" } ], "repeated": 0, "id": 3156 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\FolderTypeID" } ], "repeated": 0, "id": 3157 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\InitFolderHandler" } ], "repeated": 0, "id": 3158 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b0" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\PropertyBag" } ], "repeated": 0, "id": 3159 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 3160 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3161 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3162 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b0" }, { "name": "ObjectAttributesName", "value": "{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}" } ], "repeated": 0, "id": 3163 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 3164 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Category" } ], "repeated": 0, "id": 3165 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "LocalizedResourcesDir" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Name" } ], "repeated": 0, "id": 3166 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\ParentFolder" } ], "repeated": 0, "id": 3167 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Description" } ], "repeated": 0, "id": 3168 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\RelativePath" } ], "repeated": 0, "id": 3169 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\ParsingName" } ], "repeated": 0, "id": 3170 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\InfoTip" } ], "repeated": 0, "id": 3171 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\LocalizedName" } ], "repeated": 0, "id": 3172 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Icon" } ], "repeated": 0, "id": 3173 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Security" } ], "repeated": 0, "id": 3174 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\StreamResource" } ], "repeated": 0, "id": 3175 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\StreamResourceType" } ], "repeated": 0, "id": 3176 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3177 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Roamable" } ], "repeated": 0, "id": 3178 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\PreCreate" } ], "repeated": 0, "id": 3179 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Stream" } ], "repeated": 0, "id": 3180 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\PublishExpandedPath" } ], "repeated": 0, "id": 3181 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\DefinitionFlags" } ], "repeated": 0, "id": 3182 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Attributes" } ], "repeated": 0, "id": 3183 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\FolderTypeID" } ], "repeated": 0, "id": 3184 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\InitFolderHandler" } ], "repeated": 0, "id": 3185 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\PropertyBag" } ], "repeated": 0, "id": 3186 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3187 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3188 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3189 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{E555AB60-153B-4D17-9F04-A5FE99FC15EC}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}" } ], "repeated": 0, "id": 3190 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3191 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Category" } ], "repeated": 0, "id": 3192 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "CommonRingtones" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Name" } ], "repeated": 0, "id": 3193 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\ParentFolder" } ], "repeated": 0, "id": 3194 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Description" } ], "repeated": 0, "id": 3195 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\Ringtones" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\RelativePath" } ], "repeated": 0, "id": 3196 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\ParsingName" } ], "repeated": 0, "id": 3197 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\InfoTip" } ], "repeated": 0, "id": 3198 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\LocalizedName" } ], "repeated": 0, "id": 3199 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Icon" } ], "repeated": 0, "id": 3200 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Security" } ], "repeated": 0, "id": 3201 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\StreamResource" } ], "repeated": 0, "id": 3202 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\StreamResourceType" } ], "repeated": 0, "id": 3203 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3204 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Roamable" } ], "repeated": 0, "id": 3205 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\PreCreate" } ], "repeated": 0, "id": 3206 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Stream" } ], "repeated": 0, "id": 3207 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\PublishExpandedPath" } ], "repeated": 0, "id": 3208 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\DefinitionFlags" } ], "repeated": 0, "id": 3209 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Attributes" } ], "repeated": 0, "id": 3210 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\FolderTypeID" } ], "repeated": 0, "id": 3211 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\InitFolderHandler" } ], "repeated": 0, "id": 3212 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b0" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\PropertyBag" } ], "repeated": 0, "id": 3213 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 3214 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3215 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3216 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b0" }, { "name": "ObjectAttributesName", "value": "{054FAE61-4DD8-4787-80B6-090220C4B700}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}" } ], "repeated": 0, "id": 3217 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 3218 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Category" } ], "repeated": 0, "id": 3219 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "GameTasks" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Name" } ], "repeated": 0, "id": 3220 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\ParentFolder" } ], "repeated": 0, "id": 3221 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Description" } ], "repeated": 0, "id": 3222 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\GameExplorer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\RelativePath" } ], "repeated": 0, "id": 3223 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\ParsingName" } ], "repeated": 0, "id": 3224 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\InfoTip" } ], "repeated": 0, "id": 3225 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\LocalizedName" } ], "repeated": 0, "id": 3226 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Icon" } ], "repeated": 0, "id": 3227 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Security" } ], "repeated": 0, "id": 3228 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\StreamResource" } ], "repeated": 0, "id": 3229 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\StreamResourceType" } ], "repeated": 0, "id": 3230 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3231 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Roamable" } ], "repeated": 0, "id": 3232 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\PreCreate" } ], "repeated": 0, "id": 3233 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Stream" } ], "repeated": 0, "id": 3234 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\PublishExpandedPath" } ], "repeated": 0, "id": 3235 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\DefinitionFlags" } ], "repeated": 0, "id": 3236 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Attributes" } ], "repeated": 0, "id": 3237 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\FolderTypeID" } ], "repeated": 0, "id": 3238 }, { "timestamp": "2026-06-29 22:15:01,625", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\InitFolderHandler" } ], "repeated": 0, "id": 3239 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\PropertyBag" } ], "repeated": 0, "id": 3240 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3241 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3242 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3243 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{1777F761-68AD-4D8A-87BD-30B759FA33DD}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}" } ], "repeated": 0, "id": 3244 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3245 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Category" } ], "repeated": 0, "id": 3246 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Favorites" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Name" } ], "repeated": 0, "id": 3247 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\ParentFolder" } ], "repeated": 0, "id": 3248 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Description" } ], "repeated": 0, "id": 3249 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Favorites" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\RelativePath" } ], "repeated": 0, "id": 3250 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\ParsingName" } ], "repeated": 0, "id": 3251 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\InfoTip" } ], "repeated": 0, "id": 3252 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21796" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\LocalizedName" } ], "repeated": 0, "id": 3253 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-115" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Icon" } ], "repeated": 0, "id": 3254 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Security" } ], "repeated": 0, "id": 3255 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\StreamResource" } ], "repeated": 0, "id": 3256 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\StreamResourceType" } ], "repeated": 0, "id": 3257 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3258 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Roamable" } ], "repeated": 0, "id": 3259 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\PreCreate" } ], "repeated": 0, "id": 3260 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Stream" } ], "repeated": 0, "id": 3261 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\PublishExpandedPath" } ], "repeated": 0, "id": 3262 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\DefinitionFlags" } ], "repeated": 0, "id": 3263 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Attributes" } ], "repeated": 0, "id": 3264 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\FolderTypeID" } ], "repeated": 0, "id": 3265 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\InitFolderHandler" } ], "repeated": 0, "id": 3266 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003bc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\PropertyBag" } ], "repeated": 0, "id": 3267 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 3268 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3269 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" } ], "repeated": 0, "id": 3270 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3271 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 3272 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3273 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 3274 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003bc" } ], "repeated": 0, "id": 3275 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3276 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "H\\xf0\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3277 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 3278 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 3279 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3280 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "L\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff\\xcc\\xee\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0st\\xf0\\xee\\xec\\x04\\xec\\xee\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 3281 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 3282 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 3283 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3284 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c0" }, { "name": "ValueName", "value": "Favorites" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%USERPROFILE%\\Favorites" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Favorites" } ], "repeated": 0, "id": 3285 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 3286 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" } ], "repeated": 0, "id": 3287 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000390" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 3288 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000390" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Show" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 3289 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000390" }, { "name": "ValueName", "value": "BaseFolderId" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PropertyBag\\BaseFolderId" } ], "repeated": 0, "id": 3290 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000390" }, { "name": "ValueName", "value": "BaseFolderId" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{18989B1D-99B5-455B-841C-AB7C74E4DDFC}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PropertyBag\\BaseFolderId" } ], "repeated": 0, "id": 3291 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747be08d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003c0" } ], "repeated": 0, "id": 3292 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x747be0b3", "parentcaller": "0x747be9b1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3293 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747be0d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" } ], "repeated": 0, "id": 3294 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xd3\\x9c\\xb8u\\x00\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\xc6\\xce\\xa4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x03\\x00\\x00\\xcc\\xf2\\xec\\x04p\\x07\\xbbu" } ], "repeated": 0, "id": 3295 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 3296 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003c0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3297 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "DisablePersonalDirChange" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange" } ], "repeated": 0, "id": 3298 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 3299 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747beb42", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000c" }, { "name": "TokenHandle", "value": "0x000003bc" } ], "repeated": 0, "id": 3300 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 3301 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3302 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 3303 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3304 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 3305 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747be1ec", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xc0+g\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\xf2\\xec\\x04D&\\xb9u\\xff\\xff\\xff\\xff\\x0c\\x00\\x00\\x00L\\xf2\\xec\\x04" } ], "repeated": 0, "id": 3306 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3307 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" } ], "repeated": 0, "id": 3308 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747beba4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 3309 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "DesiredAccess", "value": "0x00020006", "pretty_value": "KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000003c0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 3310 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec02", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 3311 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec1e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" } ], "repeated": 0, "id": 3312 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3313 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" } ], "repeated": 0, "id": 3314 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3315 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 3316 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3317 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 3318 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3319 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3320 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c0" }, { "name": "ObjectAttributesName", "value": "{B250C668-F57D-4EE1-A63C-290EE7D1AA1F}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B250C668-F57D-4EE1-A63C-290EE7D1AA1F}" } ], "repeated": 0, "id": 3321 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" } ], "repeated": 0, "id": 3322 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3323 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3324 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c0" }, { "name": "ObjectAttributesName", "value": "{52528A6B-B9E3-4ADD-B60D-588C2DBA842D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4ADD-B60D-588C2DBA842D}" } ], "repeated": 0, "id": 3325 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" } ], "repeated": 0, "id": 3326 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Category" } ], "repeated": 0, "id": 3327 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "HomeGroupFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Name" } ], "repeated": 0, "id": 3328 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\ParentFolder" } ], "repeated": 0, "id": 3329 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Description" } ], "repeated": 0, "id": 3330 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\RelativePath" } ], "repeated": 0, "id": 3331 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\ParsingName" } ], "repeated": 0, "id": 3332 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\InfoTip" } ], "repeated": 0, "id": 3333 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\LocalizedName" } ], "repeated": 0, "id": 3334 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-1013" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Icon" } ], "repeated": 0, "id": 3335 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Security" } ], "repeated": 0, "id": 3336 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\StreamResource" } ], "repeated": 0, "id": 3337 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\StreamResourceType" } ], "repeated": 0, "id": 3338 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3339 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Roamable" } ], "repeated": 0, "id": 3340 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\PreCreate" } ], "repeated": 0, "id": 3341 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Stream" } ], "repeated": 0, "id": 3342 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\PublishExpandedPath" } ], "repeated": 0, "id": 3343 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\DefinitionFlags" } ], "repeated": 0, "id": 3344 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Attributes" } ], "repeated": 0, "id": 3345 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\FolderTypeID" } ], "repeated": 0, "id": 3346 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\InitFolderHandler" } ], "repeated": 0, "id": 3347 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003bc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\PropertyBag" } ], "repeated": 0, "id": 3348 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 3349 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3350 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3351 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003bc" }, { "name": "ObjectAttributesName", "value": "{8983036C-27C0-404B-8F08-102D10DCFD74}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}" } ], "repeated": 0, "id": 3352 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 3353 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Category" } ], "repeated": 0, "id": 3354 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "SendTo" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Name" } ], "repeated": 0, "id": 3355 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\ParentFolder" } ], "repeated": 0, "id": 3356 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Description" } ], "repeated": 0, "id": 3357 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\SendTo" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\RelativePath" } ], "repeated": 0, "id": 3358 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\ParsingName" } ], "repeated": 0, "id": 3359 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\InfoTip" } ], "repeated": 0, "id": 3360 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\LocalizedName" } ], "repeated": 0, "id": 3361 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Icon" } ], "repeated": 0, "id": 3362 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Security" } ], "repeated": 0, "id": 3363 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\StreamResource" } ], "repeated": 0, "id": 3364 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\StreamResourceType" } ], "repeated": 0, "id": 3365 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3366 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Roamable" } ], "repeated": 0, "id": 3367 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\PreCreate" } ], "repeated": 0, "id": 3368 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Stream" } ], "repeated": 0, "id": 3369 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\PublishExpandedPath" } ], "repeated": 0, "id": 3370 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\DefinitionFlags" } ], "repeated": 0, "id": 3371 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Attributes" } ], "repeated": 0, "id": 3372 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\FolderTypeID" } ], "repeated": 0, "id": 3373 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\InitFolderHandler" } ], "repeated": 0, "id": 3374 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\PropertyBag" } ], "repeated": 0, "id": 3375 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3376 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3377 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3378 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{0482AF6C-08F1-4C34-8C90-E17EC98B1E17}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482AF6C-08F1-4C34-8C90-E17EC98B1E17}" } ], "repeated": 0, "id": 3379 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3380 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Category" } ], "repeated": 0, "id": 3381 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "PublicAccountPictures" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Name" } ], "repeated": 0, "id": 3382 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\ParentFolder" } ], "repeated": 0, "id": 3383 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Description" } ], "repeated": 0, "id": 3384 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "AccountPictures" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\RelativePath" } ], "repeated": 0, "id": 3385 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\ParsingName" } ], "repeated": 0, "id": 3386 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\InfoTip" } ], "repeated": 0, "id": 3387 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "@C:\\Windows\\SysWOW64\\Windows.UI.Immersive.dll,-38304" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\LocalizedName" } ], "repeated": 0, "id": 3388 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Icon" } ], "repeated": 0, "id": 3389 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Security" } ], "repeated": 0, "id": 3390 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\StreamResource" } ], "repeated": 0, "id": 3391 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\StreamResourceType" } ], "repeated": 0, "id": 3392 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3393 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Roamable" } ], "repeated": 0, "id": 3394 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\PreCreate" } ], "repeated": 0, "id": 3395 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Stream" } ], "repeated": 0, "id": 3396 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\PublishExpandedPath" } ], "repeated": 0, "id": 3397 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\DefinitionFlags" } ], "repeated": 0, "id": 3398 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Attributes" } ], "repeated": 0, "id": 3399 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\FolderTypeID" } ], "repeated": 0, "id": 3400 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\InitFolderHandler" } ], "repeated": 0, "id": 3401 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b0" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\PropertyBag" } ], "repeated": 0, "id": 3402 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 3403 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3404 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3405 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b0" }, { "name": "ObjectAttributesName", "value": "{BCB5256F-79F6-4CEE-B725-DC34E402FD46}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{BCB5256F-79F6-4CEE-B725-DC34E402FD46}" } ], "repeated": 0, "id": 3406 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 3407 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Category" } ], "repeated": 0, "id": 3408 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "ImplicitAppShortcuts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Name" } ], "repeated": 0, "id": 3409 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{9e3995ab-1f9c-4f13-b827-48b24b6c7174}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\ParentFolder" } ], "repeated": 0, "id": 3410 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Description" } ], "repeated": 0, "id": 3411 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "ImplicitAppShortcuts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\RelativePath" } ], "repeated": 0, "id": 3412 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\ParsingName" } ], "repeated": 0, "id": 3413 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\InfoTip" } ], "repeated": 0, "id": 3414 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\LocalizedName" } ], "repeated": 0, "id": 3415 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Icon" } ], "repeated": 0, "id": 3416 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Security" } ], "repeated": 0, "id": 3417 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\StreamResource" } ], "repeated": 0, "id": 3418 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\StreamResourceType" } ], "repeated": 0, "id": 3419 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3420 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Roamable" } ], "repeated": 0, "id": 3421 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\PreCreate" } ], "repeated": 0, "id": 3422 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Stream" } ], "repeated": 0, "id": 3423 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\PublishExpandedPath" } ], "repeated": 0, "id": 3424 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\DefinitionFlags" } ], "repeated": 0, "id": 3425 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Attributes" } ], "repeated": 0, "id": 3426 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\FolderTypeID" } ], "repeated": 0, "id": 3427 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\InitFolderHandler" } ], "repeated": 0, "id": 3428 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\PropertyBag" } ], "repeated": 0, "id": 3429 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3430 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3431 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3432 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{724EF170-A42D-4FEF-9F26-B60E846FBA4F}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}" } ], "repeated": 0, "id": 3433 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3434 }, { "timestamp": "2026-06-29 22:15:01,640", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Category" } ], "repeated": 0, "id": 3435 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Administrative Tools" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Name" } ], "repeated": 0, "id": 3436 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\ParentFolder" } ], "repeated": 0, "id": 3437 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Description" } ], "repeated": 0, "id": 3438 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Administrative Tools" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\RelativePath" } ], "repeated": 0, "id": 3439 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\ParsingName" } ], "repeated": 0, "id": 3440 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\InfoTip" } ], "repeated": 0, "id": 3441 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21762" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\LocalizedName" } ], "repeated": 0, "id": 3442 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Icon" } ], "repeated": 0, "id": 3443 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Security" } ], "repeated": 0, "id": 3444 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\StreamResource" } ], "repeated": 0, "id": 3445 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\StreamResourceType" } ], "repeated": 0, "id": 3446 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3447 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Roamable" } ], "repeated": 0, "id": 3448 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\PreCreate" } ], "repeated": 0, "id": 3449 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Stream" } ], "repeated": 0, "id": 3450 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\PublishExpandedPath" } ], "repeated": 0, "id": 3451 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\DefinitionFlags" } ], "repeated": 0, "id": 3452 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Attributes" } ], "repeated": 0, "id": 3453 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\FolderTypeID" } ], "repeated": 0, "id": 3454 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\InitFolderHandler" } ], "repeated": 0, "id": 3455 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b0" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\PropertyBag" } ], "repeated": 0, "id": 3456 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 3457 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3458 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3459 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b0" }, { "name": "ObjectAttributesName", "value": "{4BD8D571-6D19-48D3-BE97-422220080E43}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}" } ], "repeated": 0, "id": 3460 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 3461 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Category" } ], "repeated": 0, "id": 3462 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "My Music" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Name" } ], "repeated": 0, "id": 3463 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\ParentFolder" } ], "repeated": 0, "id": 3464 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Description" } ], "repeated": 0, "id": 3465 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Music" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\RelativePath" } ], "repeated": 0, "id": 3466 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\ParsingName" } ], "repeated": 0, "id": 3467 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{1CF1260C-4DD0-4EBB-811F-33C572699FDE}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\ParsingName" } ], "repeated": 0, "id": 3468 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-12689" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\InfoTip" } ], "repeated": 0, "id": 3469 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-21790" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\LocalizedName" } ], "repeated": 0, "id": 3470 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-108" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Icon" } ], "repeated": 0, "id": 3471 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Security" } ], "repeated": 0, "id": 3472 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\StreamResource" } ], "repeated": 0, "id": 3473 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\StreamResourceType" } ], "repeated": 0, "id": 3474 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3475 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Roamable" } ], "repeated": 0, "id": 3476 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PreCreate" } ], "repeated": 0, "id": 3477 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Stream" } ], "repeated": 0, "id": 3478 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PublishExpandedPath" } ], "repeated": 0, "id": 3479 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\DefinitionFlags" } ], "repeated": 0, "id": 3480 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Attributes" } ], "repeated": 0, "id": 3481 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\FolderTypeID" } ], "repeated": 0, "id": 3482 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\InitFolderHandler" } ], "repeated": 0, "id": 3483 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PropertyBag" } ], "repeated": 0, "id": 3484 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3485 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 3486 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b0" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Hide" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 3487 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747be08d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000398" } ], "repeated": 0, "id": 3488 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x747be0b3", "parentcaller": "0x747be9b1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3489 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747be0d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3490 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xd3\\x9c\\xb8u\\x00\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\xc6\\xce\\xa4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x03\\x00\\x00\\xcc\\xf2\\xec\\x04p\\x07\\xbbu" } ], "repeated": 0, "id": 3491 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 3492 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3493 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "DisablePersonalDirChange" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange" } ], "repeated": 0, "id": 3494 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 3495 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747beb42", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000c" }, { "name": "TokenHandle", "value": "0x000003b8" } ], "repeated": 0, "id": 3496 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 3497 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3498 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 3499 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3500 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 3501 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747be1ec", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x80)g\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\xf2\\xec\\x04D&\\xb9u\\xff\\xff\\xff\\xff\\x0c\\x00\\x00\\x00L\\xf2\\xec\\x04" } ], "repeated": 0, "id": 3502 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3503 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" } ], "repeated": 0, "id": 3504 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747beba4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 3505 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00020006", "pretty_value": "KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 3506 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec02", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 3507 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec1e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3508 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3509 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3510 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{DE61D971-5EBC-4F02-A3A9-6C82895E5C04}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE61D971-5EBC-4F02-A3A9-6C82895E5C04}" } ], "repeated": 0, "id": 3511 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3512 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Category" } ], "repeated": 0, "id": 3513 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "AddNewProgramsFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Name" } ], "repeated": 0, "id": 3514 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\ParentFolder" } ], "repeated": 0, "id": 3515 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Description" } ], "repeated": 0, "id": 3516 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\RelativePath" } ], "repeated": 0, "id": 3517 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\ParsingName" } ], "repeated": 0, "id": 3518 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "shell:::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{15eae92e-f17a-4431-9f28-805e482dafd4}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\ParsingName" } ], "repeated": 0, "id": 3519 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\InfoTip" } ], "repeated": 0, "id": 3520 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\LocalizedName" } ], "repeated": 0, "id": 3521 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Icon" } ], "repeated": 0, "id": 3522 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Security" } ], "repeated": 0, "id": 3523 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\StreamResource" } ], "repeated": 0, "id": 3524 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\StreamResourceType" } ], "repeated": 0, "id": 3525 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3526 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Roamable" } ], "repeated": 0, "id": 3527 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\PreCreate" } ], "repeated": 0, "id": 3528 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Stream" } ], "repeated": 0, "id": 3529 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\PublishExpandedPath" } ], "repeated": 0, "id": 3530 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\DefinitionFlags" } ], "repeated": 0, "id": 3531 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Attributes" } ], "repeated": 0, "id": 3532 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\FolderTypeID" } ], "repeated": 0, "id": 3533 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\InitFolderHandler" } ], "repeated": 0, "id": 3534 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\PropertyBag" } ], "repeated": 0, "id": 3535 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 3536 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3537 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3538 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b8" }, { "name": "ObjectAttributesName", "value": "{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}" } ], "repeated": 0, "id": 3539 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 3540 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Category" } ], "repeated": 0, "id": 3541 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Captures" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Name" } ], "repeated": 0, "id": 3542 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{18989B1D-99B5-455B-841C-AB7C74E4DDFC}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\ParentFolder" } ], "repeated": 0, "id": 3543 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Description" } ], "repeated": 0, "id": 3544 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Captures" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\RelativePath" } ], "repeated": 0, "id": 3545 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\ParsingName" } ], "repeated": 0, "id": 3546 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\InfoTip" } ], "repeated": 0, "id": 3547 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-21826" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\LocalizedName" } ], "repeated": 0, "id": 3548 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Icon" } ], "repeated": 0, "id": 3549 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Security" } ], "repeated": 0, "id": 3550 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\StreamResource" } ], "repeated": 0, "id": 3551 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\StreamResourceType" } ], "repeated": 0, "id": 3552 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3553 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Roamable" } ], "repeated": 0, "id": 3554 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\PreCreate" } ], "repeated": 0, "id": 3555 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Stream" } ], "repeated": 0, "id": 3556 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\PublishExpandedPath" } ], "repeated": 0, "id": 3557 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\DefinitionFlags" } ], "repeated": 0, "id": 3558 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Attributes" } ], "repeated": 0, "id": 3559 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\FolderTypeID" } ], "repeated": 0, "id": 3560 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\InitFolderHandler" } ], "repeated": 0, "id": 3561 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\PropertyBag" } ], "repeated": 0, "id": 3562 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3563 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3564 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3565 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{0762D272-C50A-4BB0-A382-697DCD729B80}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}" } ], "repeated": 0, "id": 3566 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3567 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Category" } ], "repeated": 0, "id": 3568 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "UserProfiles" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Name" } ], "repeated": 0, "id": 3569 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\ParentFolder" } ], "repeated": 0, "id": 3570 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Description" } ], "repeated": 0, "id": 3571 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\RelativePath" } ], "repeated": 0, "id": 3572 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\ParsingName" } ], "repeated": 0, "id": 3573 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\InfoTip" } ], "repeated": 0, "id": 3574 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21813" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\LocalizedName" } ], "repeated": 0, "id": 3575 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Icon" } ], "repeated": 0, "id": 3576 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Security" } ], "repeated": 0, "id": 3577 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Security" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "D:P(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;WD)" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Security" } ], "repeated": 0, "id": 3578 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\StreamResource" } ], "repeated": 0, "id": 3579 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\StreamResourceType" } ], "repeated": 0, "id": 3580 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3581 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Roamable" } ], "repeated": 0, "id": 3582 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\PreCreate" } ], "repeated": 0, "id": 3583 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Stream" } ], "repeated": 0, "id": 3584 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\PublishExpandedPath" } ], "repeated": 0, "id": 3585 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\DefinitionFlags" } ], "repeated": 0, "id": 3586 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Attributes" } ], "repeated": 0, "id": 3587 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\FolderTypeID" } ], "repeated": 0, "id": 3588 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\InitFolderHandler" } ], "repeated": 0, "id": 3589 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\PropertyBag" } ], "repeated": 0, "id": 3590 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 3591 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3592 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3593 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b8" }, { "name": "ObjectAttributesName", "value": "{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}" } ], "repeated": 0, "id": 3594 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 3595 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Category" } ], "repeated": 0, "id": 3596 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "InternetFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Name" } ], "repeated": 0, "id": 3597 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\ParentFolder" } ], "repeated": 0, "id": 3598 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Description" } ], "repeated": 0, "id": 3599 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\RelativePath" } ], "repeated": 0, "id": 3600 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{871C5380-42A0-1069-A2EA-08002B30309D}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\ParsingName" } ], "repeated": 0, "id": 3601 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\InfoTip" } ], "repeated": 0, "id": 3602 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\LocalizedName" } ], "repeated": 0, "id": 3603 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Icon" } ], "repeated": 0, "id": 3604 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Security" } ], "repeated": 0, "id": 3605 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\StreamResource" } ], "repeated": 0, "id": 3606 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\StreamResourceType" } ], "repeated": 0, "id": 3607 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3608 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Roamable" } ], "repeated": 0, "id": 3609 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\PreCreate" } ], "repeated": 0, "id": 3610 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Stream" } ], "repeated": 0, "id": 3611 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\PublishExpandedPath" } ], "repeated": 0, "id": 3612 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\DefinitionFlags" } ], "repeated": 0, "id": 3613 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Attributes" } ], "repeated": 0, "id": 3614 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\FolderTypeID" } ], "repeated": 0, "id": 3615 }, { "timestamp": "2026-06-29 22:15:01,656", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\InitFolderHandler" } ], "repeated": 0, "id": 3616 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\PropertyBag" } ], "repeated": 0, "id": 3617 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3618 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3619 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3620 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000398" }, { "name": "ObjectAttributesName", "value": "{2B20DF75-1EDA-4039-8097-38798227D5B7}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}" } ], "repeated": 0, "id": 3621 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 3622 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Category" } ], "repeated": 0, "id": 3623 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "CameraRollLibrary" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Name" } ], "repeated": 0, "id": 3624 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\ParentFolder" } ], "repeated": 0, "id": 3625 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Description" } ], "repeated": 0, "id": 3626 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "CameraRoll.library-ms" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\RelativePath" } ], "repeated": 0, "id": 3627 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\ParsingName" } ], "repeated": 0, "id": 3628 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\{2B20DF75-1EDA-4039-8097-38798227D5B7}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\ParsingName" } ], "repeated": 0, "id": 3629 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\InfoTip" } ], "repeated": 0, "id": 3630 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-34582" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\LocalizedName" } ], "repeated": 0, "id": 3631 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Icon" } ], "repeated": 0, "id": 3632 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Security" } ], "repeated": 0, "id": 3633 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\shell32.dll,-5" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\StreamResource" } ], "repeated": 0, "id": 3634 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "LIBRARY" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\StreamResourceType" } ], "repeated": 0, "id": 3635 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3636 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Roamable" } ], "repeated": 0, "id": 3637 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\PreCreate" } ], "repeated": 0, "id": 3638 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Stream" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Stream" } ], "repeated": 0, "id": 3639 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\PublishExpandedPath" } ], "repeated": 0, "id": 3640 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\DefinitionFlags" } ], "repeated": 0, "id": 3641 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Attributes" } ], "repeated": 0, "id": 3642 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\FolderTypeID" } ], "repeated": 0, "id": 3643 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\InitFolderHandler" } ], "repeated": 0, "id": 3644 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003bc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\PropertyBag" } ], "repeated": 0, "id": 3645 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 3646 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3647 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3648 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003bc" }, { "name": "ObjectAttributesName", "value": "{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}" } ], "repeated": 0, "id": 3649 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 3650 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category" } ], "repeated": 0, "id": 3651 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "System" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name" } ], "repeated": 0, "id": 3652 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder" } ], "repeated": 0, "id": 3653 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description" } ], "repeated": 0, "id": 3654 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath" } ], "repeated": 0, "id": 3655 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName" } ], "repeated": 0, "id": 3656 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip" } ], "repeated": 0, "id": 3657 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName" } ], "repeated": 0, "id": 3658 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon" } ], "repeated": 0, "id": 3659 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security" } ], "repeated": 0, "id": 3660 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource" } ], "repeated": 0, "id": 3661 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType" } ], "repeated": 0, "id": 3662 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3663 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable" } ], "repeated": 0, "id": 3664 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate" } ], "repeated": 0, "id": 3665 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream" } ], "repeated": 0, "id": 3666 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath" } ], "repeated": 0, "id": 3667 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\DefinitionFlags" } ], "repeated": 0, "id": 3668 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes" } ], "repeated": 0, "id": 3669 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID" } ], "repeated": 0, "id": 3670 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler" } ], "repeated": 0, "id": 3671 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PropertyBag" } ], "repeated": 0, "id": 3672 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 3673 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3674 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3675 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}" } ], "repeated": 0, "id": 3676 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 3677 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Category" } ], "repeated": 0, "id": 3678 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Programs" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Name" } ], "repeated": 0, "id": 3679 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\ParentFolder" } ], "repeated": 0, "id": 3680 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Description" } ], "repeated": 0, "id": 3681 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Programs" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\RelativePath" } ], "repeated": 0, "id": 3682 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\ParsingName" } ], "repeated": 0, "id": 3683 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\InfoTip" } ], "repeated": 0, "id": 3684 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21782" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\LocalizedName" } ], "repeated": 0, "id": 3685 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Icon" } ], "repeated": 0, "id": 3686 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Security" } ], "repeated": 0, "id": 3687 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\StreamResource" } ], "repeated": 0, "id": 3688 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\StreamResourceType" } ], "repeated": 0, "id": 3689 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3690 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Roamable" } ], "repeated": 0, "id": 3691 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\PreCreate" } ], "repeated": 0, "id": 3692 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Stream" } ], "repeated": 0, "id": 3693 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\PublishExpandedPath" } ], "repeated": 0, "id": 3694 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\DefinitionFlags" } ], "repeated": 0, "id": 3695 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Attributes" } ], "repeated": 0, "id": 3696 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\FolderTypeID" } ], "repeated": 0, "id": 3697 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\InitFolderHandler" } ], "repeated": 0, "id": 3698 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\PropertyBag" } ], "repeated": 0, "id": 3699 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 3700 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3701 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3702 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c8" }, { "name": "ObjectAttributesName", "value": "{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}" } ], "repeated": 0, "id": 3703 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 3704 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Category" } ], "repeated": 0, "id": 3705 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "AppDataDesktop" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Name" } ], "repeated": 0, "id": 3706 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\ParentFolder" } ], "repeated": 0, "id": 3707 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Description" } ], "repeated": 0, "id": 3708 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Desktop" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\RelativePath" } ], "repeated": 0, "id": 3709 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\ParsingName" } ], "repeated": 0, "id": 3710 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\InfoTip" } ], "repeated": 0, "id": 3711 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\LocalizedName" } ], "repeated": 0, "id": 3712 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Icon" } ], "repeated": 0, "id": 3713 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Security" } ], "repeated": 0, "id": 3714 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\StreamResource" } ], "repeated": 0, "id": 3715 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\StreamResourceType" } ], "repeated": 0, "id": 3716 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3717 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Roamable" } ], "repeated": 0, "id": 3718 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\PreCreate" } ], "repeated": 0, "id": 3719 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Stream" } ], "repeated": 0, "id": 3720 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\PublishExpandedPath" } ], "repeated": 0, "id": 3721 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\DefinitionFlags" } ], "repeated": 0, "id": 3722 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Attributes" } ], "repeated": 0, "id": 3723 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\FolderTypeID" } ], "repeated": 0, "id": 3724 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\InitFolderHandler" } ], "repeated": 0, "id": 3725 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\PropertyBag" } ], "repeated": 0, "id": 3726 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 3727 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3728 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3729 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{AB5FB87B-7CE2-4F83-915D-550846C9537B}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}" } ], "repeated": 0, "id": 3730 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 3731 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Category" } ], "repeated": 0, "id": 3732 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Camera Roll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Name" } ], "repeated": 0, "id": 3733 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{33E28130-4E1E-4676-835A-98395C3BC3BB}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\ParentFolder" } ], "repeated": 0, "id": 3734 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Description" } ], "repeated": 0, "id": 3735 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Camera Roll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\RelativePath" } ], "repeated": 0, "id": 3736 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\ParsingName" } ], "repeated": 0, "id": 3737 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\InfoTip" } ], "repeated": 0, "id": 3738 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-21824" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\LocalizedName" } ], "repeated": 0, "id": 3739 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Icon" } ], "repeated": 0, "id": 3740 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Security" } ], "repeated": 0, "id": 3741 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\StreamResource" } ], "repeated": 0, "id": 3742 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\StreamResourceType" } ], "repeated": 0, "id": 3743 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3744 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Roamable" } ], "repeated": 0, "id": 3745 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\PreCreate" } ], "repeated": 0, "id": 3746 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Stream" } ], "repeated": 0, "id": 3747 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\PublishExpandedPath" } ], "repeated": 0, "id": 3748 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\DefinitionFlags" } ], "repeated": 0, "id": 3749 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Attributes" } ], "repeated": 0, "id": 3750 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\FolderTypeID" } ], "repeated": 0, "id": 3751 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{B26388EA-AD62-430f-AF5C-CFA63BFE94A6}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\InitFolderHandler" } ], "repeated": 0, "id": 3752 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\PropertyBag" } ], "repeated": 0, "id": 3753 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 3754 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3755 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3756 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c8" }, { "name": "ObjectAttributesName", "value": "{0AC0837C-BBF8-452A-850D-79D08E667CA7}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}" } ], "repeated": 0, "id": 3757 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 3758 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Category" } ], "repeated": 0, "id": 3759 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "MyComputerFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Name" } ], "repeated": 0, "id": 3760 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\ParentFolder" } ], "repeated": 0, "id": 3761 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Description" } ], "repeated": 0, "id": 3762 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\RelativePath" } ], "repeated": 0, "id": 3763 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{20D04FE0-3AEA-1069-A2D8-08002B30309D}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\ParsingName" } ], "repeated": 0, "id": 3764 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\InfoTip" } ], "repeated": 0, "id": 3765 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\LocalizedName" } ], "repeated": 0, "id": 3766 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Icon" } ], "repeated": 0, "id": 3767 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Security" } ], "repeated": 0, "id": 3768 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\StreamResource" } ], "repeated": 0, "id": 3769 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\StreamResourceType" } ], "repeated": 0, "id": 3770 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3771 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Roamable" } ], "repeated": 0, "id": 3772 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\PreCreate" } ], "repeated": 0, "id": 3773 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Stream" } ], "repeated": 0, "id": 3774 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\PublishExpandedPath" } ], "repeated": 0, "id": 3775 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\DefinitionFlags" } ], "repeated": 0, "id": 3776 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Attributes" } ], "repeated": 0, "id": 3777 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\FolderTypeID" } ], "repeated": 0, "id": 3778 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\InitFolderHandler" } ], "repeated": 0, "id": 3779 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\PropertyBag" } ], "repeated": 0, "id": 3780 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 3781 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3782 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3783 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{D0384E7D-BAC3-4797-8F14-CBA229B392B5}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}" } ], "repeated": 0, "id": 3784 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 3785 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Category" } ], "repeated": 0, "id": 3786 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Common Administrative Tools" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Name" } ], "repeated": 0, "id": 3787 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\ParentFolder" } ], "repeated": 0, "id": 3788 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Description" } ], "repeated": 0, "id": 3789 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Administrative Tools" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\RelativePath" } ], "repeated": 0, "id": 3790 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\ParsingName" } ], "repeated": 0, "id": 3791 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\InfoTip" } ], "repeated": 0, "id": 3792 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21762" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\LocalizedName" } ], "repeated": 0, "id": 3793 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Icon" } ], "repeated": 0, "id": 3794 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Security" } ], "repeated": 0, "id": 3795 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\StreamResource" } ], "repeated": 0, "id": 3796 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\StreamResourceType" } ], "repeated": 0, "id": 3797 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3798 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Roamable" } ], "repeated": 0, "id": 3799 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\PreCreate" } ], "repeated": 0, "id": 3800 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Stream" } ], "repeated": 0, "id": 3801 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\PublishExpandedPath" } ], "repeated": 0, "id": 3802 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\DefinitionFlags" } ], "repeated": 0, "id": 3803 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Attributes" } ], "repeated": 0, "id": 3804 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\FolderTypeID" } ], "repeated": 0, "id": 3805 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\InitFolderHandler" } ], "repeated": 0, "id": 3806 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\PropertyBag" } ], "repeated": 0, "id": 3807 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 3808 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3809 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3810 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c8" }, { "name": "ObjectAttributesName", "value": "{7B0DB17D-9CD2-4A93-9733-46CC89022E7C}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7B0DB17D-9CD2-4A93-9733-46CC89022E7C}" } ], "repeated": 0, "id": 3811 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 3812 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Category" } ], "repeated": 0, "id": 3813 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "DocumentsLibrary" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Name" } ], "repeated": 0, "id": 3814 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\ParentFolder" } ], "repeated": 0, "id": 3815 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Description" } ], "repeated": 0, "id": 3816 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Documents.library-ms" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\RelativePath" } ], "repeated": 0, "id": 3817 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\ParsingName" } ], "repeated": 0, "id": 3818 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\ParsingName" } ], "repeated": 0, "id": 3819 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\InfoTip" } ], "repeated": 0, "id": 3820 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-34575" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\LocalizedName" } ], "repeated": 0, "id": 3821 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-1002" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Icon" } ], "repeated": 0, "id": 3822 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Security" } ], "repeated": 0, "id": 3823 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\shell32.dll,-1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\StreamResource" } ], "repeated": 0, "id": 3824 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "LIBRARY" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\StreamResourceType" } ], "repeated": 0, "id": 3825 }, { "timestamp": "2026-06-29 22:15:01,672", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3826 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Roamable" } ], "repeated": 0, "id": 3827 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\PreCreate" } ], "repeated": 0, "id": 3828 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Stream" } ], "repeated": 0, "id": 3829 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\PublishExpandedPath" } ], "repeated": 0, "id": 3830 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\DefinitionFlags" } ], "repeated": 0, "id": 3831 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Attributes" } ], "repeated": 0, "id": 3832 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\FolderTypeID" } ], "repeated": 0, "id": 3833 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\InitFolderHandler" } ], "repeated": 0, "id": 3834 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\PropertyBag" } ], "repeated": 0, "id": 3835 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 3836 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3837 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3838 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{A3918781-E5F2-4890-B3D9-A7E54332328C}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}" } ], "repeated": 0, "id": 3839 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 3840 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Category" } ], "repeated": 0, "id": 3841 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Application Shortcuts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Name" } ], "repeated": 0, "id": 3842 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\ParentFolder" } ], "repeated": 0, "id": 3843 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Description" } ], "repeated": 0, "id": 3844 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\Application Shortcuts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\RelativePath" } ], "repeated": 0, "id": 3845 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\ParsingName" } ], "repeated": 0, "id": 3846 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\InfoTip" } ], "repeated": 0, "id": 3847 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-50704" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\LocalizedName" } ], "repeated": 0, "id": 3848 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Icon" } ], "repeated": 0, "id": 3849 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Security" } ], "repeated": 0, "id": 3850 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\StreamResource" } ], "repeated": 0, "id": 3851 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\StreamResourceType" } ], "repeated": 0, "id": 3852 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3853 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Roamable" } ], "repeated": 0, "id": 3854 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\PreCreate" } ], "repeated": 0, "id": 3855 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Stream" } ], "repeated": 0, "id": 3856 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\PublishExpandedPath" } ], "repeated": 0, "id": 3857 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\DefinitionFlags" } ], "repeated": 0, "id": 3858 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Attributes" } ], "repeated": 0, "id": 3859 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\FolderTypeID" } ], "repeated": 0, "id": 3860 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\InitFolderHandler" } ], "repeated": 0, "id": 3861 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003cc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\PropertyBag" } ], "repeated": 0, "id": 3862 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 3863 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3864 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3865 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003cc" }, { "name": "ObjectAttributesName", "value": "{AE50C081-EBD2-438A-8655-8A092E34987A}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}" } ], "repeated": 0, "id": 3866 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 3867 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Category" } ], "repeated": 0, "id": 3868 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Recent" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Name" } ], "repeated": 0, "id": 3869 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\ParentFolder" } ], "repeated": 0, "id": 3870 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Description" } ], "repeated": 0, "id": 3871 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\Recent" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\RelativePath" } ], "repeated": 0, "id": 3872 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\ParsingName" } ], "repeated": 0, "id": 3873 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "@shell32,dll,-12692" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\InfoTip" } ], "repeated": 0, "id": 3874 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21797" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\LocalizedName" } ], "repeated": 0, "id": 3875 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-117" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Icon" } ], "repeated": 0, "id": 3876 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Security" } ], "repeated": 0, "id": 3877 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\StreamResource" } ], "repeated": 0, "id": 3878 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\StreamResourceType" } ], "repeated": 0, "id": 3879 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3880 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Roamable" } ], "repeated": 0, "id": 3881 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PreCreate" } ], "repeated": 0, "id": 3882 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Stream" } ], "repeated": 0, "id": 3883 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PublishExpandedPath" } ], "repeated": 0, "id": 3884 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\DefinitionFlags" } ], "repeated": 0, "id": 3885 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Attributes" } ], "repeated": 0, "id": 3886 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\FolderTypeID" } ], "repeated": 0, "id": 3887 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\InitFolderHandler" } ], "repeated": 0, "id": 3888 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PropertyBag" } ], "repeated": 0, "id": 3889 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 3890 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3891 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3892 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{B7BEDE81-DF94-4682-A7D8-57A52620B86F}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7BEDE81-DF94-4682-A7D8-57A52620B86F}" } ], "repeated": 0, "id": 3893 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 3894 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Category" } ], "repeated": 0, "id": 3895 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Screenshots" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Name" } ], "repeated": 0, "id": 3896 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{33E28130-4E1E-4676-835A-98395C3BC3BB}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\ParentFolder" } ], "repeated": 0, "id": 3897 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Description" } ], "repeated": 0, "id": 3898 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Screenshots" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\RelativePath" } ], "repeated": 0, "id": 3899 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\ParsingName" } ], "repeated": 0, "id": 3900 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\InfoTip" } ], "repeated": 0, "id": 3901 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-21823" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\LocalizedName" } ], "repeated": 0, "id": 3902 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Icon" } ], "repeated": 0, "id": 3903 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Security" } ], "repeated": 0, "id": 3904 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\StreamResource" } ], "repeated": 0, "id": 3905 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\StreamResourceType" } ], "repeated": 0, "id": 3906 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3907 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Roamable" } ], "repeated": 0, "id": 3908 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\PreCreate" } ], "repeated": 0, "id": 3909 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Stream" } ], "repeated": 0, "id": 3910 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\PublishExpandedPath" } ], "repeated": 0, "id": 3911 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\DefinitionFlags" } ], "repeated": 0, "id": 3912 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Attributes" } ], "repeated": 0, "id": 3913 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\FolderTypeID" } ], "repeated": 0, "id": 3914 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\InitFolderHandler" } ], "repeated": 0, "id": 3915 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003cc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\PropertyBag" } ], "repeated": 0, "id": 3916 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 3917 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3918 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3919 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003cc" }, { "name": "ObjectAttributesName", "value": "{3B193882-D3AD-4EAB-965A-69829D1FB59F}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4EAB-965A-69829D1FB59F}" } ], "repeated": 0, "id": 3920 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 3921 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Category" } ], "repeated": 0, "id": 3922 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "SavedPictures" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Name" } ], "repeated": 0, "id": 3923 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{33E28130-4E1E-4676-835A-98395C3BC3BB}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\ParentFolder" } ], "repeated": 0, "id": 3924 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Description" } ], "repeated": 0, "id": 3925 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Saved Pictures" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\RelativePath" } ], "repeated": 0, "id": 3926 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\ParsingName" } ], "repeated": 0, "id": 3927 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\InfoTip" } ], "repeated": 0, "id": 3928 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-34583" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\LocalizedName" } ], "repeated": 0, "id": 3929 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Icon" } ], "repeated": 0, "id": 3930 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Security" } ], "repeated": 0, "id": 3931 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\StreamResource" } ], "repeated": 0, "id": 3932 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\StreamResourceType" } ], "repeated": 0, "id": 3933 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3934 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Roamable" } ], "repeated": 0, "id": 3935 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\PreCreate" } ], "repeated": 0, "id": 3936 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Stream" } ], "repeated": 0, "id": 3937 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\PublishExpandedPath" } ], "repeated": 0, "id": 3938 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\DefinitionFlags" } ], "repeated": 0, "id": 3939 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Attributes" } ], "repeated": 0, "id": 3940 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\FolderTypeID" } ], "repeated": 0, "id": 3941 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\InitFolderHandler" } ], "repeated": 0, "id": 3942 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\PropertyBag" } ], "repeated": 0, "id": 3943 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 3944 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3945 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3946 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}" } ], "repeated": 0, "id": 3947 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 3948 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Category" } ], "repeated": 0, "id": 3949 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Common AppData" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Name" } ], "repeated": 0, "id": 3950 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\ParentFolder" } ], "repeated": 0, "id": 3951 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Description" } ], "repeated": 0, "id": 3952 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\RelativePath" } ], "repeated": 0, "id": 3953 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\ParsingName" } ], "repeated": 0, "id": 3954 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\InfoTip" } ], "repeated": 0, "id": 3955 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\LocalizedName" } ], "repeated": 0, "id": 3956 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Icon" } ], "repeated": 0, "id": 3957 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Security" } ], "repeated": 0, "id": 3958 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\StreamResource" } ], "repeated": 0, "id": 3959 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\StreamResourceType" } ], "repeated": 0, "id": 3960 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3961 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Roamable" } ], "repeated": 0, "id": 3962 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\PreCreate" } ], "repeated": 0, "id": 3963 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Stream" } ], "repeated": 0, "id": 3964 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\PublishExpandedPath" } ], "repeated": 0, "id": 3965 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\DefinitionFlags" } ], "repeated": 0, "id": 3966 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Attributes" } ], "repeated": 0, "id": 3967 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\FolderTypeID" } ], "repeated": 0, "id": 3968 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\InitFolderHandler" } ], "repeated": 0, "id": 3969 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003cc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\PropertyBag" } ], "repeated": 0, "id": 3970 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 3971 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3972 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 3973 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003cc" }, { "name": "ObjectAttributesName", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } ], "repeated": 0, "id": 3974 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 3975 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Category" } ], "repeated": 0, "id": 3976 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Local AppData" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Name" } ], "repeated": 0, "id": 3977 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParentFolder" } ], "repeated": 0, "id": 3978 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Description" } ], "repeated": 0, "id": 3979 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "AppData\\Local" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\RelativePath" } ], "repeated": 0, "id": 3980 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParsingName" } ], "repeated": 0, "id": 3981 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InfoTip" } ], "repeated": 0, "id": 3982 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalizedName" } ], "repeated": 0, "id": 3983 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Icon" } ], "repeated": 0, "id": 3984 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Security" } ], "repeated": 0, "id": 3985 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResource" } ], "repeated": 0, "id": 3986 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResourceType" } ], "repeated": 0, "id": 3987 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalRedirectOnly" } ], "repeated": 0, "id": 3988 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Roamable" } ], "repeated": 0, "id": 3989 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PreCreate" } ], "repeated": 0, "id": 3990 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Stream" } ], "repeated": 0, "id": 3991 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PublishExpandedPath" } ], "repeated": 0, "id": 3992 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\DefinitionFlags" } ], "repeated": 0, "id": 3993 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Attributes" } ], "repeated": 0, "id": 3994 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\FolderTypeID" } ], "repeated": 0, "id": 3995 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InitFolderHandler" } ], "repeated": 0, "id": 3996 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PropertyBag" } ], "repeated": 0, "id": 3997 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 3998 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3999 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4000 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}" } ], "repeated": 0, "id": 4001 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4002 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Category" } ], "repeated": 0, "id": 4003 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "ThisPCDesktopFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Name" } ], "repeated": 0, "id": 4004 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\ParentFolder" } ], "repeated": 0, "id": 4005 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Description" } ], "repeated": 0, "id": 4006 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Desktop" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\RelativePath" } ], "repeated": 0, "id": 4007 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\ParsingName" } ], "repeated": 0, "id": 4008 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\ParsingName" } ], "repeated": 0, "id": 4009 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\InfoTip" } ], "repeated": 0, "id": 4010 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21769" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\LocalizedName" } ], "repeated": 0, "id": 4011 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-183" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Icon" } ], "repeated": 0, "id": 4012 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Security" } ], "repeated": 0, "id": 4013 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\StreamResource" } ], "repeated": 0, "id": 4014 }, { "timestamp": "2026-06-29 22:15:01,687", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\StreamResourceType" } ], "repeated": 0, "id": 4015 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4016 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Roamable" } ], "repeated": 0, "id": 4017 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\PreCreate" } ], "repeated": 0, "id": 4018 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Stream" } ], "repeated": 0, "id": 4019 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\PublishExpandedPath" } ], "repeated": 0, "id": 4020 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\DefinitionFlags" } ], "repeated": 0, "id": 4021 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Attributes" } ], "repeated": 0, "id": 4022 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\FolderTypeID" } ], "repeated": 0, "id": 4023 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\InitFolderHandler" } ], "repeated": 0, "id": 4024 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003cc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\PropertyBag" } ], "repeated": 0, "id": 4025 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 4026 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4027 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" } ], "repeated": 0, "id": 4028 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4029 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 4030 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4031 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 4032 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003cc" } ], "repeated": 0, "id": 4033 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4034 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "H\\xf0\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4035 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 4036 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 4037 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4038 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "L\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff\\xcc\\xee\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0st\\xf0\\xee\\xec\\x04\\xec\\xee\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 4039 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 4040 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 4041 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4042 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d0" }, { "name": "ValueName", "value": "{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}" } ], "repeated": 0, "id": 4043 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747ba61c", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003c4" } ], "repeated": 0, "id": 4044 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747ba7ad", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p/g\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4045 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4046 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 4047 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 4048 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "C:\\Users\\Rajesh" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 4049 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x740d8463", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4050 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747ba66b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4051 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 4052 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d0" } ], "repeated": 0, "id": 4053 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4054 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4055 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003d0" }, { "name": "ObjectAttributesName", "value": "{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}" } ], "repeated": 0, "id": 4056 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d0" } ], "repeated": 0, "id": 4057 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Category" } ], "repeated": 0, "id": 4058 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "CommonPictures" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Name" } ], "repeated": 0, "id": 4059 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\ParentFolder" } ], "repeated": 0, "id": 4060 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Description" } ], "repeated": 0, "id": 4061 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Pictures" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\RelativePath" } ], "repeated": 0, "id": 4062 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\ParsingName" } ], "repeated": 0, "id": 4063 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-12688" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\InfoTip" } ], "repeated": 0, "id": 4064 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21802" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\LocalizedName" } ], "repeated": 0, "id": 4065 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Icon" } ], "repeated": 0, "id": 4066 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Security" } ], "repeated": 0, "id": 4067 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\StreamResource" } ], "repeated": 0, "id": 4068 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\StreamResourceType" } ], "repeated": 0, "id": 4069 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4070 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Roamable" } ], "repeated": 0, "id": 4071 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\PreCreate" } ], "repeated": 0, "id": 4072 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Stream" } ], "repeated": 0, "id": 4073 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\PublishExpandedPath" } ], "repeated": 0, "id": 4074 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\DefinitionFlags" } ], "repeated": 0, "id": 4075 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Attributes" } ], "repeated": 0, "id": 4076 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\FolderTypeID" } ], "repeated": 0, "id": 4077 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\InitFolderHandler" } ], "repeated": 0, "id": 4078 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003cc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\PropertyBag" } ], "repeated": 0, "id": 4079 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 4080 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4081 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4082 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003cc" }, { "name": "ObjectAttributesName", "value": "{1E87508D-89C2-42F0-8A7E-645A0F50CA58}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1E87508D-89C2-42F0-8A7E-645A0F50CA58}" } ], "repeated": 0, "id": 4083 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 4084 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Category" } ], "repeated": 0, "id": 4085 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "AppsFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Name" } ], "repeated": 0, "id": 4086 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParentFolder" } ], "repeated": 0, "id": 4087 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Description" } ], "repeated": 0, "id": 4088 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\RelativePath" } ], "repeated": 0, "id": 4089 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "shell:::{4234d49b-0245-4df3-b780-3893943456e1}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParsingName" } ], "repeated": 0, "id": 4090 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InfoTip" } ], "repeated": 0, "id": 4091 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalizedName" } ], "repeated": 0, "id": 4092 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Icon" } ], "repeated": 0, "id": 4093 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Security" } ], "repeated": 0, "id": 4094 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResource" } ], "repeated": 0, "id": 4095 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResourceType" } ], "repeated": 0, "id": 4096 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4097 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Roamable" } ], "repeated": 0, "id": 4098 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PreCreate" } ], "repeated": 0, "id": 4099 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Stream" } ], "repeated": 0, "id": 4100 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PublishExpandedPath" } ], "repeated": 0, "id": 4101 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\DefinitionFlags" } ], "repeated": 0, "id": 4102 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Attributes" } ], "repeated": 0, "id": 4103 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\FolderTypeID" } ], "repeated": 0, "id": 4104 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InitFolderHandler" } ], "repeated": 0, "id": 4105 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PropertyBag" } ], "repeated": 0, "id": 4106 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4107 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4108 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4109 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}" } ], "repeated": 0, "id": 4110 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4111 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Category" } ], "repeated": 0, "id": 4112 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "PrintHood" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Name" } ], "repeated": 0, "id": 4113 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\ParentFolder" } ], "repeated": 0, "id": 4114 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Description" } ], "repeated": 0, "id": 4115 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\Printer Shortcuts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\RelativePath" } ], "repeated": 0, "id": 4116 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\ParsingName" } ], "repeated": 0, "id": 4117 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\InfoTip" } ], "repeated": 0, "id": 4118 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\LocalizedName" } ], "repeated": 0, "id": 4119 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Icon" } ], "repeated": 0, "id": 4120 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Security" } ], "repeated": 0, "id": 4121 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\StreamResource" } ], "repeated": 0, "id": 4122 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\StreamResourceType" } ], "repeated": 0, "id": 4123 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4124 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Roamable" } ], "repeated": 0, "id": 4125 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\PreCreate" } ], "repeated": 0, "id": 4126 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Stream" } ], "repeated": 0, "id": 4127 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\PublishExpandedPath" } ], "repeated": 0, "id": 4128 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\DefinitionFlags" } ], "repeated": 0, "id": 4129 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Attributes" } ], "repeated": 0, "id": 4130 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\FolderTypeID" } ], "repeated": 0, "id": 4131 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\InitFolderHandler" } ], "repeated": 0, "id": 4132 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003cc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\PropertyBag" } ], "repeated": 0, "id": 4133 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 4134 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4135 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4136 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003cc" }, { "name": "ObjectAttributesName", "value": "{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}" } ], "repeated": 0, "id": 4137 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 4138 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Category" } ], "repeated": 0, "id": 4139 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Development Files" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Name" } ], "repeated": 0, "id": 4140 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\ParentFolder" } ], "repeated": 0, "id": 4141 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Description" } ], "repeated": 0, "id": 4142 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "DevelopmentFiles" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\RelativePath" } ], "repeated": 0, "id": 4143 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\ParsingName" } ], "repeated": 0, "id": 4144 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\InfoTip" } ], "repeated": 0, "id": 4145 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\LocalizedName" } ], "repeated": 0, "id": 4146 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Icon" } ], "repeated": 0, "id": 4147 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Security" } ], "repeated": 0, "id": 4148 }, { "timestamp": "2026-06-29 22:15:01,703", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\StreamResource" } ], "repeated": 0, "id": 4149 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\StreamResourceType" } ], "repeated": 0, "id": 4150 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4151 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Roamable" } ], "repeated": 0, "id": 4152 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\PreCreate" } ], "repeated": 0, "id": 4153 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Stream" } ], "repeated": 0, "id": 4154 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\PublishExpandedPath" } ], "repeated": 0, "id": 4155 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\DefinitionFlags" } ], "repeated": 0, "id": 4156 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Attributes" } ], "repeated": 0, "id": 4157 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\FolderTypeID" } ], "repeated": 0, "id": 4158 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\InitFolderHandler" } ], "repeated": 0, "id": 4159 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\PropertyBag" } ], "repeated": 0, "id": 4160 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4161 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4162 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4163 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}" } ], "repeated": 0, "id": 4164 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4165 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Category" } ], "repeated": 0, "id": 4166 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "PhotoAlbums" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Name" } ], "repeated": 0, "id": 4167 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{33E28130-4E1E-4676-835A-98395C3BC3BB}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\ParentFolder" } ], "repeated": 0, "id": 4168 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Description" } ], "repeated": 0, "id": 4169 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Slide Shows" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\RelativePath" } ], "repeated": 0, "id": 4170 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\ParsingName" } ], "repeated": 0, "id": 4171 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\InfoTip" } ], "repeated": 0, "id": 4172 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21819" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\LocalizedName" } ], "repeated": 0, "id": 4173 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Icon" } ], "repeated": 0, "id": 4174 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Security" } ], "repeated": 0, "id": 4175 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\StreamResource" } ], "repeated": 0, "id": 4176 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\StreamResourceType" } ], "repeated": 0, "id": 4177 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4178 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Roamable" } ], "repeated": 0, "id": 4179 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\PreCreate" } ], "repeated": 0, "id": 4180 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Stream" } ], "repeated": 0, "id": 4181 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\PublishExpandedPath" } ], "repeated": 0, "id": 4182 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\DefinitionFlags" } ], "repeated": 0, "id": 4183 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Attributes" } ], "repeated": 0, "id": 4184 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\FolderTypeID" } ], "repeated": 0, "id": 4185 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\InitFolderHandler" } ], "repeated": 0, "id": 4186 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003cc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\PropertyBag" } ], "repeated": 0, "id": 4187 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 4188 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4189 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4190 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003cc" }, { "name": "ObjectAttributesName", "value": "{374DE290-123F-4565-9164-39C4925E467B}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}" } ], "repeated": 0, "id": 4191 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 4192 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Category" } ], "repeated": 0, "id": 4193 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Downloads" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Name" } ], "repeated": 0, "id": 4194 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\ParentFolder" } ], "repeated": 0, "id": 4195 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Description" } ], "repeated": 0, "id": 4196 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Downloads" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\RelativePath" } ], "repeated": 0, "id": 4197 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\ParsingName" } ], "repeated": 0, "id": 4198 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{374DE290-123F-4565-9164-39C4925E467B}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\ParsingName" } ], "repeated": 0, "id": 4199 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\InfoTip" } ], "repeated": 0, "id": 4200 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-21798" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\LocalizedName" } ], "repeated": 0, "id": 4201 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-184" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Icon" } ], "repeated": 0, "id": 4202 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "S:AI(RA;IOOICI;;;;WD;(\"IMAGELOAD\",TU,0x0,0x01))" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Security" } ], "repeated": 0, "id": 4203 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\StreamResource" } ], "repeated": 0, "id": 4204 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\StreamResourceType" } ], "repeated": 0, "id": 4205 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4206 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Roamable" } ], "repeated": 0, "id": 4207 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PreCreate" } ], "repeated": 0, "id": 4208 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Stream" } ], "repeated": 0, "id": 4209 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PublishExpandedPath" } ], "repeated": 0, "id": 4210 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\DefinitionFlags" } ], "repeated": 0, "id": 4211 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Attributes" } ], "repeated": 0, "id": 4212 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{885A186E-A440-4ADA-812B-DB871B942259}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\FolderTypeID" } ], "repeated": 0, "id": 4213 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\InitFolderHandler" } ], "repeated": 0, "id": 4214 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PropertyBag" } ], "repeated": 0, "id": 4215 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4216 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 4217 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003cc" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Hide" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 4218 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747be08d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003c4" } ], "repeated": 0, "id": 4219 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x747be0b3", "parentcaller": "0x747be9b1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4220 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747be0d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4221 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xd3\\x9c\\xb8u\\x00\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\xc6\\xce\\xa4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc4\\x03\\x00\\x00\\xcc\\xf2\\xec\\x04p\\x07\\xbbu" } ], "repeated": 0, "id": 4222 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 4223 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4224 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "DisablePersonalDirChange" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange" } ], "repeated": 0, "id": 4225 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4226 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747beb42", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000c" }, { "name": "TokenHandle", "value": "0x000003d4" } ], "repeated": 0, "id": 4227 }, { "timestamp": "2026-06-29 22:15:01,718", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 4228 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4229 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 4230 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4231 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 4232 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747be1ec", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf8/g\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\xf2\\xec\\x04D&\\xb9u\\xff\\xff\\xff\\xff\\x0c\\x00\\x00\\x00L\\xf2\\xec\\x04" } ], "repeated": 0, "id": 4233 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4234 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" } ], "repeated": 0, "id": 4235 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747beba4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4236 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "DesiredAccess", "value": "0x00020006", "pretty_value": "KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 4237 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec02", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4238 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec1e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4239 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4240 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4241 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{859EAD94-2E85-48AD-A71A-0969CB56A6CD}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{859EAD94-2E85-48AD-A71A-0969CB56A6CD}" } ], "repeated": 0, "id": 4242 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4243 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4244 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4245 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{7AD67899-66AF-43BA-9156-6AAD42E6C596}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}" } ], "repeated": 0, "id": 4246 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4247 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Category" } ], "repeated": 0, "id": 4248 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "AppMods" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Name" } ], "repeated": 0, "id": 4249 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{5E6C858F-0E22-4760-9AFE-EA3317B67173}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\ParentFolder" } ], "repeated": 0, "id": 4250 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Description" } ], "repeated": 0, "id": 4251 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "AppMods" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\RelativePath" } ], "repeated": 0, "id": 4252 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\ParsingName" } ], "repeated": 0, "id": 4253 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\InfoTip" } ], "repeated": 0, "id": 4254 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-21829" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\LocalizedName" } ], "repeated": 0, "id": 4255 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Icon" } ], "repeated": 0, "id": 4256 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Security" } ], "repeated": 0, "id": 4257 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\StreamResource" } ], "repeated": 0, "id": 4258 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\StreamResourceType" } ], "repeated": 0, "id": 4259 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4260 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Roamable" } ], "repeated": 0, "id": 4261 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\PreCreate" } ], "repeated": 0, "id": 4262 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Stream" } ], "repeated": 0, "id": 4263 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\PublishExpandedPath" } ], "repeated": 0, "id": 4264 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\DefinitionFlags" } ], "repeated": 0, "id": 4265 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Attributes" } ], "repeated": 0, "id": 4266 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\FolderTypeID" } ], "repeated": 0, "id": 4267 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\InitFolderHandler" } ], "repeated": 0, "id": 4268 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003d4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\PropertyBag" } ], "repeated": 0, "id": 4269 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4270 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4271 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" } ], "repeated": 0, "id": 4272 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4273 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 4274 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4275 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 4276 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003d4" } ], "repeated": 0, "id": 4277 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4278 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "H\\xf0\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4279 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 4280 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 4281 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4282 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "L\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff\\xcc\\xee\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0st\\xf0\\xee\\xec\\x04\\xec\\xee\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 4283 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 4284 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 4285 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4286 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "{7AD67899-66AF-43BA-9156-6AAD42E6C596}" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}" } ], "repeated": 0, "id": 4287 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747ba61c", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003c4" } ], "repeated": 0, "id": 4288 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747ba7ad", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0-g\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4289 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4290 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 4291 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 4292 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "C:\\Users\\Rajesh" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 4293 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x740d8463", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d8" } ], "repeated": 0, "id": 4294 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747ba66b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4295 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4296 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 4297 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 4298 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Show" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 4299 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "BaseFolderId" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PropertyBag\\BaseFolderId" } ], "repeated": 0, "id": 4300 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "BaseFolderId" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{4BD8D571-6D19-48D3-BE97-422220080E43}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PropertyBag\\BaseFolderId" } ], "repeated": 0, "id": 4301 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747be08d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003b8" } ], "repeated": 0, "id": 4302 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x747be0b3", "parentcaller": "0x747be9b1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4303 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747be0d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 4304 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xd3\\x9c\\xb8u\\x00\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\xc6\\xce\\xa4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x03\\x00\\x00\\xcc\\xf2\\xec\\x04p\\x07\\xbbu" } ], "repeated": 0, "id": 4305 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 4306 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003b8" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4307 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "DisablePersonalDirChange" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange" } ], "repeated": 0, "id": 4308 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4309 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747beb42", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000c" }, { "name": "TokenHandle", "value": "0x000003d4" } ], "repeated": 0, "id": 4310 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 4311 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4312 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 4313 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4314 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 4315 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747be1ec", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00X*g\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\xf2\\xec\\x04D&\\xb9u\\xff\\xff\\xff\\xff\\x0c\\x00\\x00\\x00L\\xf2\\xec\\x04" } ], "repeated": 0, "id": 4316 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4317 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" } ], "repeated": 0, "id": 4318 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747beba4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4319 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "DesiredAccess", "value": "0x00020006", "pretty_value": "KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000003b8" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 4320 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec02", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4321 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec1e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 4322 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4323 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" } ], "repeated": 0, "id": 4324 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4325 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 4326 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4327 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 4328 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4329 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4330 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b8" }, { "name": "ObjectAttributesName", "value": "{A305CE99-F527-492B-8B1A-7E76FA98D6E4}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A305CE99-F527-492B-8B1A-7E76FA98D6E4}" } ], "repeated": 0, "id": 4331 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 4332 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Category" } ], "repeated": 0, "id": 4333 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "AppUpdatesFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Name" } ], "repeated": 0, "id": 4334 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\ParentFolder" } ], "repeated": 0, "id": 4335 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Description" } ], "repeated": 0, "id": 4336 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\RelativePath" } ], "repeated": 0, "id": 4337 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\ParsingName" } ], "repeated": 0, "id": 4338 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{7b81be6a-ce2b-4676-a29e-eb907a5126c5}\\::{d450a8a1-9568-45c7-9c0e-b4f9fb4537bd}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\ParsingName" } ], "repeated": 0, "id": 4339 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\InfoTip" } ], "repeated": 0, "id": 4340 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\LocalizedName" } ], "repeated": 0, "id": 4341 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Icon" } ], "repeated": 0, "id": 4342 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Security" } ], "repeated": 0, "id": 4343 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\StreamResource" } ], "repeated": 0, "id": 4344 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\StreamResourceType" } ], "repeated": 0, "id": 4345 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4346 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Roamable" } ], "repeated": 0, "id": 4347 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\PreCreate" } ], "repeated": 0, "id": 4348 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Stream" } ], "repeated": 0, "id": 4349 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\PublishExpandedPath" } ], "repeated": 0, "id": 4350 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\DefinitionFlags" } ], "repeated": 0, "id": 4351 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Attributes" } ], "repeated": 0, "id": 4352 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\FolderTypeID" } ], "repeated": 0, "id": 4353 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\InitFolderHandler" } ], "repeated": 0, "id": 4354 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003d4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\PropertyBag" } ], "repeated": 0, "id": 4355 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4356 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4357 }, { "timestamp": "2026-06-29 22:15:01,734", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4358 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003d4" }, { "name": "ObjectAttributesName", "value": "{3D644C9B-1FB8-4F30-9B45-F670235F79C0}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4F30-9B45-F670235F79C0}" } ], "repeated": 0, "id": 4359 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4360 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Category" } ], "repeated": 0, "id": 4361 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "CommonDownloads" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Name" } ], "repeated": 0, "id": 4362 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\ParentFolder" } ], "repeated": 0, "id": 4363 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Description" } ], "repeated": 0, "id": 4364 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Downloads" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\RelativePath" } ], "repeated": 0, "id": 4365 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\ParsingName" } ], "repeated": 0, "id": 4366 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\InfoTip" } ], "repeated": 0, "id": 4367 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21808" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\LocalizedName" } ], "repeated": 0, "id": 4368 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Icon" } ], "repeated": 0, "id": 4369 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Security" } ], "repeated": 0, "id": 4370 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\StreamResource" } ], "repeated": 0, "id": 4371 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\StreamResourceType" } ], "repeated": 0, "id": 4372 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4373 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Roamable" } ], "repeated": 0, "id": 4374 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\PreCreate" } ], "repeated": 0, "id": 4375 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Stream" } ], "repeated": 0, "id": 4376 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\PublishExpandedPath" } ], "repeated": 0, "id": 4377 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\DefinitionFlags" } ], "repeated": 0, "id": 4378 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Attributes" } ], "repeated": 0, "id": 4379 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\FolderTypeID" } ], "repeated": 0, "id": 4380 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\InitFolderHandler" } ], "repeated": 0, "id": 4381 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\PropertyBag" } ], "repeated": 0, "id": 4382 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 4383 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000394" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 4384 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000394" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Show" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 4385 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000394" }, { "name": "ValueName", "value": "BaseFolderId" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PropertyBag\\BaseFolderId" } ], "repeated": 0, "id": 4386 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000394" }, { "name": "ValueName", "value": "BaseFolderId" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{374DE290-123F-4565-9164-39C4925E467B}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PropertyBag\\BaseFolderId" } ], "repeated": 0, "id": 4387 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747be08d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003b8" } ], "repeated": 0, "id": 4388 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x747be0b3", "parentcaller": "0x747be9b1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4389 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747be0d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 4390 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xd3\\x9c\\xb8u\\x00\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\xc6\\xce\\xa4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x03\\x00\\x00\\xcc\\xf2\\xec\\x04p\\x07\\xbbu" } ], "repeated": 0, "id": 4391 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 4392 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003b8" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4393 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "DisablePersonalDirChange" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange" } ], "repeated": 0, "id": 4394 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4395 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747beb42", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000c" }, { "name": "TokenHandle", "value": "0x000003d4" } ], "repeated": 0, "id": 4396 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 4397 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4398 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 4399 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4400 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 4401 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747be1ec", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xc0+g\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\xf2\\xec\\x04D&\\xb9u\\xff\\xff\\xff\\xff\\x0c\\x00\\x00\\x00L\\xf2\\xec\\x04" } ], "repeated": 0, "id": 4402 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4403 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" } ], "repeated": 0, "id": 4404 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747beba4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4405 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "DesiredAccess", "value": "0x00020006", "pretty_value": "KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000003b8" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 4406 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec02", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4407 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec1e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 4408 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4409 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" } ], "repeated": 0, "id": 4410 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4411 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 4412 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4413 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 4414 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4415 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4416 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003b8" }, { "name": "ObjectAttributesName", "value": "{A440879F-87A0-4F7D-B700-0207B966194A}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}" } ], "repeated": 0, "id": 4417 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 4418 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Category" } ], "repeated": 0, "id": 4419 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Common Start Menu Places" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Name" } ], "repeated": 0, "id": 4420 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\ParentFolder" } ], "repeated": 0, "id": 4421 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Description" } ], "repeated": 0, "id": 4422 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\Start Menu Places" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\RelativePath" } ], "repeated": 0, "id": 4423 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\ParsingName" } ], "repeated": 0, "id": 4424 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\InfoTip" } ], "repeated": 0, "id": 4425 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21786" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\LocalizedName" } ], "repeated": 0, "id": 4426 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Icon" } ], "repeated": 0, "id": 4427 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Security" } ], "repeated": 0, "id": 4428 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\StreamResource" } ], "repeated": 0, "id": 4429 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\StreamResourceType" } ], "repeated": 0, "id": 4430 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4431 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Roamable" } ], "repeated": 0, "id": 4432 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\PreCreate" } ], "repeated": 0, "id": 4433 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Stream" } ], "repeated": 0, "id": 4434 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\PublishExpandedPath" } ], "repeated": 0, "id": 4435 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\DefinitionFlags" } ], "repeated": 0, "id": 4436 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Attributes" } ], "repeated": 0, "id": 4437 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\FolderTypeID" } ], "repeated": 0, "id": 4438 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\InitFolderHandler" } ], "repeated": 0, "id": 4439 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003d4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\PropertyBag" } ], "repeated": 0, "id": 4440 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4441 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4442 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4443 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003d4" }, { "name": "ObjectAttributesName", "value": "{A990AE9F-A03B-4E80-94BC-9912D7504104}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4E80-94BC-9912D7504104}" } ], "repeated": 0, "id": 4444 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 4445 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Category" } ], "repeated": 0, "id": 4446 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "PicturesLibrary" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Name" } ], "repeated": 0, "id": 4447 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\ParentFolder" } ], "repeated": 0, "id": 4448 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Description" } ], "repeated": 0, "id": 4449 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Pictures.library-ms" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\RelativePath" } ], "repeated": 0, "id": 4450 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\ParsingName" } ], "repeated": 0, "id": 4451 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\{A990AE9F-A03B-4e80-94BC-9912D7504104}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\ParsingName" } ], "repeated": 0, "id": 4452 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-12688" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\InfoTip" } ], "repeated": 0, "id": 4453 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-34595" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\LocalizedName" } ], "repeated": 0, "id": 4454 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-1003" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Icon" } ], "repeated": 0, "id": 4455 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Security" } ], "repeated": 0, "id": 4456 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\shell32.dll,-3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\StreamResource" } ], "repeated": 0, "id": 4457 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "LIBRARY" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\StreamResourceType" } ], "repeated": 0, "id": 4458 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4459 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Roamable" } ], "repeated": 0, "id": 4460 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\PreCreate" } ], "repeated": 0, "id": 4461 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Stream" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Stream" } ], "repeated": 0, "id": 4462 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\PublishExpandedPath" } ], "repeated": 0, "id": 4463 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\DefinitionFlags" } ], "repeated": 0, "id": 4464 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Attributes" } ], "repeated": 0, "id": 4465 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\FolderTypeID" } ], "repeated": 0, "id": 4466 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\InitFolderHandler" } ], "repeated": 0, "id": 4467 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003dc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\PropertyBag" } ], "repeated": 0, "id": 4468 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" } ], "repeated": 0, "id": 4469 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4470 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4471 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003dc" }, { "name": "ObjectAttributesName", "value": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}" } ], "repeated": 0, "id": 4472 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" } ], "repeated": 0, "id": 4473 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Category" } ], "repeated": 0, "id": 4474 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Public" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Name" } ], "repeated": 0, "id": 4475 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\ParentFolder" } ], "repeated": 0, "id": 4476 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Description" } ], "repeated": 0, "id": 4477 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\RelativePath" } ], "repeated": 0, "id": 4478 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\ParsingName" } ], "repeated": 0, "id": 4479 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\InfoTip" } ], "repeated": 0, "id": 4480 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21816" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\LocalizedName" } ], "repeated": 0, "id": 4481 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Icon" } ], "repeated": 0, "id": 4482 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Security" } ], "repeated": 0, "id": 4483 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Security" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "D:PAI(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICIIO;0x1301ff;;;IU)(A;;0x1200af;;;IU)(A;OICIIO;0x1301ff;;;SU)(A;;0x1200af;;;SU)(A;OICIIO;0x1301ff;;;S-1-5-3)(A;;0x1200af;;;S-1-5-3)" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Security" } ], "repeated": 0, "id": 4484 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\StreamResource" } ], "repeated": 0, "id": 4485 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\StreamResourceType" } ], "repeated": 0, "id": 4486 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4487 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Roamable" } ], "repeated": 0, "id": 4488 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\PreCreate" } ], "repeated": 0, "id": 4489 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Stream" } ], "repeated": 0, "id": 4490 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\PublishExpandedPath" } ], "repeated": 0, "id": 4491 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\DefinitionFlags" } ], "repeated": 0, "id": 4492 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Attributes" } ], "repeated": 0, "id": 4493 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\FolderTypeID" } ], "repeated": 0, "id": 4494 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\InitFolderHandler" } ], "repeated": 0, "id": 4495 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e0" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\PropertyBag" } ], "repeated": 0, "id": 4496 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 4497 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4498 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4499 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e0" }, { "name": "ObjectAttributesName", "value": "{1A6FDBA2-F42D-4358-A798-B74D745926C5}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}" } ], "repeated": 0, "id": 4500 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 4501 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Category" } ], "repeated": 0, "id": 4502 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "RecordedTVLibrary" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Name" } ], "repeated": 0, "id": 4503 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{48daf80b-e6cf-4f4e-b800-0e69d84ee384}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\ParentFolder" } ], "repeated": 0, "id": 4504 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Description" } ], "repeated": 0, "id": 4505 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "RecordedTV.library-ms" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\RelativePath" } ], "repeated": 0, "id": 4506 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\ParsingName" } ], "repeated": 0, "id": 4507 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\InfoTip" } ], "repeated": 0, "id": 4508 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-34615" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\LocalizedName" } ], "repeated": 0, "id": 4509 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-1008" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Icon" } ], "repeated": 0, "id": 4510 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Security" } ], "repeated": 0, "id": 4511 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\shell32.dll,-8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\StreamResource" } ], "repeated": 0, "id": 4512 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "LIBRARY" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\StreamResourceType" } ], "repeated": 0, "id": 4513 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4514 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Roamable" } ], "repeated": 0, "id": 4515 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\PreCreate" } ], "repeated": 0, "id": 4516 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Stream" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Stream" } ], "repeated": 0, "id": 4517 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\PublishExpandedPath" } ], "repeated": 0, "id": 4518 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\DefinitionFlags" } ], "repeated": 0, "id": 4519 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Attributes" } ], "repeated": 0, "id": 4520 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\FolderTypeID" } ], "repeated": 0, "id": 4521 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\InitFolderHandler" } ], "repeated": 0, "id": 4522 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003dc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\PropertyBag" } ], "repeated": 0, "id": 4523 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" } ], "repeated": 0, "id": 4524 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4525 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4526 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003dc" }, { "name": "ObjectAttributesName", "value": "{559D40A3-A036-40FA-AF61-84CB430A4D34}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}" } ], "repeated": 0, "id": 4527 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" } ], "repeated": 0, "id": 4528 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Category" } ], "repeated": 0, "id": 4529 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "AppDataProgramData" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Name" } ], "repeated": 0, "id": 4530 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\ParentFolder" } ], "repeated": 0, "id": 4531 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Description" } ], "repeated": 0, "id": 4532 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "ProgramData" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\RelativePath" } ], "repeated": 0, "id": 4533 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\ParsingName" } ], "repeated": 0, "id": 4534 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\InfoTip" } ], "repeated": 0, "id": 4535 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\LocalizedName" } ], "repeated": 0, "id": 4536 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Icon" } ], "repeated": 0, "id": 4537 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Security" } ], "repeated": 0, "id": 4538 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\StreamResource" } ], "repeated": 0, "id": 4539 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\StreamResourceType" } ], "repeated": 0, "id": 4540 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4541 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Roamable" } ], "repeated": 0, "id": 4542 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\PreCreate" } ], "repeated": 0, "id": 4543 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Stream" } ], "repeated": 0, "id": 4544 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\PublishExpandedPath" } ], "repeated": 0, "id": 4545 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\DefinitionFlags" } ], "repeated": 0, "id": 4546 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Attributes" } ], "repeated": 0, "id": 4547 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\FolderTypeID" } ], "repeated": 0, "id": 4548 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\InitFolderHandler" } ], "repeated": 0, "id": 4549 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e0" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\PropertyBag" } ], "repeated": 0, "id": 4550 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 4551 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4552 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4553 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e0" }, { "name": "ObjectAttributesName", "value": "{9B74B6A3-0DFD-4F11-9E78-5F7800F2E772}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4F11-9E78-5F7800F2E772}" } ], "repeated": 0, "id": 4554 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 4555 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Category" } ], "repeated": 0, "id": 4556 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "HomeGroupCurrentUserFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Name" } ], "repeated": 0, "id": 4557 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\ParentFolder" } ], "repeated": 0, "id": 4558 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Description" } ], "repeated": 0, "id": 4559 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\RelativePath" } ], "repeated": 0, "id": 4560 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\$CurrentUser$" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\ParsingName" } ], "repeated": 0, "id": 4561 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\InfoTip" } ], "repeated": 0, "id": 4562 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\LocalizedName" } ], "repeated": 0, "id": 4563 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Icon" } ], "repeated": 0, "id": 4564 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Security" } ], "repeated": 0, "id": 4565 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\StreamResource" } ], "repeated": 0, "id": 4566 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\StreamResourceType" } ], "repeated": 0, "id": 4567 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4568 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Roamable" } ], "repeated": 0, "id": 4569 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\PreCreate" } ], "repeated": 0, "id": 4570 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Stream" } ], "repeated": 0, "id": 4571 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\PublishExpandedPath" } ], "repeated": 0, "id": 4572 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\DefinitionFlags" } ], "repeated": 0, "id": 4573 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Attributes" } ], "repeated": 0, "id": 4574 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\FolderTypeID" } ], "repeated": 0, "id": 4575 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\InitFolderHandler" } ], "repeated": 0, "id": 4576 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003dc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\PropertyBag" } ], "repeated": 0, "id": 4577 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" } ], "repeated": 0, "id": 4578 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4579 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4580 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003dc" }, { "name": "ObjectAttributesName", "value": "{A520A1A4-1780-4FF6-BD18-167343C5AF16}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}" } ], "repeated": 0, "id": 4581 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" } ], "repeated": 0, "id": 4582 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Category" } ], "repeated": 0, "id": 4583 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "LocalAppDataLow" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Name" } ], "repeated": 0, "id": 4584 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\ParentFolder" } ], "repeated": 0, "id": 4585 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Description" } ], "repeated": 0, "id": 4586 }, { "timestamp": "2026-06-29 22:15:01,750", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "AppData\\LocalLow" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\RelativePath" } ], "repeated": 0, "id": 4587 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\ParsingName" } ], "repeated": 0, "id": 4588 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\InfoTip" } ], "repeated": 0, "id": 4589 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\LocalizedName" } ], "repeated": 0, "id": 4590 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Icon" } ], "repeated": 0, "id": 4591 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Security" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "S:(ML;OICI;NW;;;LW)" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Security" } ], "repeated": 0, "id": 4592 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\StreamResource" } ], "repeated": 0, "id": 4593 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\StreamResourceType" } ], "repeated": 0, "id": 4594 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4595 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Roamable" } ], "repeated": 0, "id": 4596 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\PreCreate" } ], "repeated": 0, "id": 4597 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Stream" } ], "repeated": 0, "id": 4598 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\PublishExpandedPath" } ], "repeated": 0, "id": 4599 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\DefinitionFlags" } ], "repeated": 0, "id": 4600 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "8192" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Attributes" } ], "repeated": 0, "id": 4601 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\FolderTypeID" } ], "repeated": 0, "id": 4602 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\InitFolderHandler" } ], "repeated": 0, "id": 4603 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\PropertyBag" } ], "repeated": 0, "id": 4604 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 4605 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4606 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4607 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e4" }, { "name": "ObjectAttributesName", "value": "{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}" } ], "repeated": 0, "id": 4608 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 4609 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Category" } ], "repeated": 0, "id": 4610 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Roamed Tile Images" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Name" } ], "repeated": 0, "id": 4611 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\ParentFolder" } ], "repeated": 0, "id": 4612 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Description" } ], "repeated": 0, "id": 4613 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\RoamedTileImages" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\RelativePath" } ], "repeated": 0, "id": 4614 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\ParsingName" } ], "repeated": 0, "id": 4615 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\InfoTip" } ], "repeated": 0, "id": 4616 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\LocalizedName" } ], "repeated": 0, "id": 4617 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Icon" } ], "repeated": 0, "id": 4618 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Security" } ], "repeated": 0, "id": 4619 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\StreamResource" } ], "repeated": 0, "id": 4620 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\StreamResourceType" } ], "repeated": 0, "id": 4621 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4622 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Roamable" } ], "repeated": 0, "id": 4623 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\PreCreate" } ], "repeated": 0, "id": 4624 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Stream" } ], "repeated": 0, "id": 4625 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\PublishExpandedPath" } ], "repeated": 0, "id": 4626 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\DefinitionFlags" } ], "repeated": 0, "id": 4627 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Attributes" } ], "repeated": 0, "id": 4628 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\FolderTypeID" } ], "repeated": 0, "id": 4629 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\InitFolderHandler" } ], "repeated": 0, "id": 4630 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003dc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\PropertyBag" } ], "repeated": 0, "id": 4631 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" } ], "repeated": 0, "id": 4632 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4633 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4634 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003dc" }, { "name": "ObjectAttributesName", "value": "{B88F4DAA-E7BD-49A9-B74D-02885A5DC765}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49A9-B74D-02885A5DC765}" } ], "repeated": 0, "id": 4635 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" } ], "repeated": 0, "id": 4636 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Category" } ], "repeated": 0, "id": 4637 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "CryptoKeys" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Name" } ], "repeated": 0, "id": 4638 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\ParentFolder" } ], "repeated": 0, "id": 4639 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Description" } ], "repeated": 0, "id": 4640 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\RelativePath" } ], "repeated": 0, "id": 4641 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\ParsingName" } ], "repeated": 0, "id": 4642 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\InfoTip" } ], "repeated": 0, "id": 4643 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\LocalizedName" } ], "repeated": 0, "id": 4644 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Icon" } ], "repeated": 0, "id": 4645 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Security" } ], "repeated": 0, "id": 4646 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\StreamResource" } ], "repeated": 0, "id": 4647 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\StreamResourceType" } ], "repeated": 0, "id": 4648 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4649 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Roamable" } ], "repeated": 0, "id": 4650 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\PreCreate" } ], "repeated": 0, "id": 4651 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Stream" } ], "repeated": 0, "id": 4652 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\PublishExpandedPath" } ], "repeated": 0, "id": 4653 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\DefinitionFlags" } ], "repeated": 0, "id": 4654 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Attributes" } ], "repeated": 0, "id": 4655 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\FolderTypeID" } ], "repeated": 0, "id": 4656 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\InitFolderHandler" } ], "repeated": 0, "id": 4657 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\PropertyBag" } ], "repeated": 0, "id": 4658 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 4659 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4660 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4661 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e4" }, { "name": "ObjectAttributesName", "value": "{2C36C0AA-5812-4B87-BFD0-4CD0DFB19B39}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4B87-BFD0-4CD0DFB19B39}" } ], "repeated": 0, "id": 4662 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 4663 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Category" } ], "repeated": 0, "id": 4664 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Original Images" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Name" } ], "repeated": 0, "id": 4665 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\ParentFolder" } ], "repeated": 0, "id": 4666 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Description" } ], "repeated": 0, "id": 4667 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows Photo Gallery\\Original Images" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\RelativePath" } ], "repeated": 0, "id": 4668 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\ParsingName" } ], "repeated": 0, "id": 4669 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\InfoTip" } ], "repeated": 0, "id": 4670 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\LocalizedName" } ], "repeated": 0, "id": 4671 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Icon" } ], "repeated": 0, "id": 4672 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Security" } ], "repeated": 0, "id": 4673 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\StreamResource" } ], "repeated": 0, "id": 4674 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\StreamResourceType" } ], "repeated": 0, "id": 4675 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4676 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Roamable" } ], "repeated": 0, "id": 4677 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\PreCreate" } ], "repeated": 0, "id": 4678 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Stream" } ], "repeated": 0, "id": 4679 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\PublishExpandedPath" } ], "repeated": 0, "id": 4680 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\DefinitionFlags" } ], "repeated": 0, "id": 4681 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Attributes" } ], "repeated": 0, "id": 4682 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\FolderTypeID" } ], "repeated": 0, "id": 4683 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\InitFolderHandler" } ], "repeated": 0, "id": 4684 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003dc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\PropertyBag" } ], "repeated": 0, "id": 4685 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" } ], "repeated": 0, "id": 4686 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4687 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4688 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003dc" }, { "name": "ObjectAttributesName", "value": "{9E3995AB-1F9C-4F13-B827-48B24B6C7174}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}" } ], "repeated": 0, "id": 4689 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" } ], "repeated": 0, "id": 4690 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Category" } ], "repeated": 0, "id": 4691 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "User Pinned" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Name" } ], "repeated": 0, "id": 4692 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\ParentFolder" } ], "repeated": 0, "id": 4693 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Description" } ], "repeated": 0, "id": 4694 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "User Pinned" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\RelativePath" } ], "repeated": 0, "id": 4695 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\ParsingName" } ], "repeated": 0, "id": 4696 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\InfoTip" } ], "repeated": 0, "id": 4697 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\LocalizedName" } ], "repeated": 0, "id": 4698 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Icon" } ], "repeated": 0, "id": 4699 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Security" } ], "repeated": 0, "id": 4700 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\StreamResource" } ], "repeated": 0, "id": 4701 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\StreamResourceType" } ], "repeated": 0, "id": 4702 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4703 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Roamable" } ], "repeated": 0, "id": 4704 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\PreCreate" } ], "repeated": 0, "id": 4705 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Stream" } ], "repeated": 0, "id": 4706 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\PublishExpandedPath" } ], "repeated": 0, "id": 4707 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\DefinitionFlags" } ], "repeated": 0, "id": 4708 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Attributes" } ], "repeated": 0, "id": 4709 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\FolderTypeID" } ], "repeated": 0, "id": 4710 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\InitFolderHandler" } ], "repeated": 0, "id": 4711 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\PropertyBag" } ], "repeated": 0, "id": 4712 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 4713 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4714 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4715 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e4" }, { "name": "ObjectAttributesName", "value": "{DF7266AC-9274-4867-8D55-3BD661DE872D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DF7266AC-9274-4867-8D55-3BD661DE872D}" } ], "repeated": 0, "id": 4716 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 4717 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Category" } ], "repeated": 0, "id": 4718 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "ChangeRemoveProgramsFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Name" } ], "repeated": 0, "id": 4719 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\ParentFolder" } ], "repeated": 0, "id": 4720 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Description" } ], "repeated": 0, "id": 4721 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\RelativePath" } ], "repeated": 0, "id": 4722 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\ParsingName" } ], "repeated": 0, "id": 4723 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{7b81be6a-ce2b-4676-a29e-eb907a5126c5}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\ParsingName" } ], "repeated": 0, "id": 4724 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\InfoTip" } ], "repeated": 0, "id": 4725 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\LocalizedName" } ], "repeated": 0, "id": 4726 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Icon" } ], "repeated": 0, "id": 4727 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Security" } ], "repeated": 0, "id": 4728 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\StreamResource" } ], "repeated": 0, "id": 4729 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\StreamResourceType" } ], "repeated": 0, "id": 4730 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4731 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Roamable" } ], "repeated": 0, "id": 4732 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\PreCreate" } ], "repeated": 0, "id": 4733 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Stream" } ], "repeated": 0, "id": 4734 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\PublishExpandedPath" } ], "repeated": 0, "id": 4735 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\DefinitionFlags" } ], "repeated": 0, "id": 4736 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Attributes" } ], "repeated": 0, "id": 4737 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\FolderTypeID" } ], "repeated": 0, "id": 4738 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\InitFolderHandler" } ], "repeated": 0, "id": 4739 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003dc" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\PropertyBag" } ], "repeated": 0, "id": 4740 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" } ], "repeated": 0, "id": 4741 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4742 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4743 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003dc" }, { "name": "ObjectAttributesName", "value": "{ED4824AF-DCE4-45A8-81E2-FC7965083634}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}" } ], "repeated": 0, "id": 4744 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" } ], "repeated": 0, "id": 4745 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Category" } ], "repeated": 0, "id": 4746 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Common Documents" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Name" } ], "repeated": 0, "id": 4747 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\ParentFolder" } ], "repeated": 0, "id": 4748 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Description" } ], "repeated": 0, "id": 4749 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Documents" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\RelativePath" } ], "repeated": 0, "id": 4750 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\ParsingName" } ], "repeated": 0, "id": 4751 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\InfoTip" } ], "repeated": 0, "id": 4752 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21801" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\LocalizedName" } ], "repeated": 0, "id": 4753 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Icon" } ], "repeated": 0, "id": 4754 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Security" } ], "repeated": 0, "id": 4755 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\StreamResource" } ], "repeated": 0, "id": 4756 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\StreamResourceType" } ], "repeated": 0, "id": 4757 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4758 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Roamable" } ], "repeated": 0, "id": 4759 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\PreCreate" } ], "repeated": 0, "id": 4760 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Stream" } ], "repeated": 0, "id": 4761 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\PublishExpandedPath" } ], "repeated": 0, "id": 4762 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\DefinitionFlags" } ], "repeated": 0, "id": 4763 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Attributes" } ], "repeated": 0, "id": 4764 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\FolderTypeID" } ], "repeated": 0, "id": 4765 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\InitFolderHandler" } ], "repeated": 0, "id": 4766 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\PropertyBag" } ], "repeated": 0, "id": 4767 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 4768 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4769 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4770 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e4" }, { "name": "ObjectAttributesName", "value": "{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}" } ], "repeated": 0, "id": 4771 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 4772 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category" } ], "repeated": 0, "id": 4773 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "SystemX86" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name" } ], "repeated": 0, "id": 4774 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder" } ], "repeated": 0, "id": 4775 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description" } ], "repeated": 0, "id": 4776 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath" } ], "repeated": 0, "id": 4777 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName" } ], "repeated": 0, "id": 4778 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip" } ], "repeated": 0, "id": 4779 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName" } ], "repeated": 0, "id": 4780 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon" } ], "repeated": 0, "id": 4781 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security" } ], "repeated": 0, "id": 4782 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource" } ], "repeated": 0, "id": 4783 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType" } ], "repeated": 0, "id": 4784 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4785 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable" } ], "repeated": 0, "id": 4786 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate" } ], "repeated": 0, "id": 4787 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream" } ], "repeated": 0, "id": 4788 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath" } ], "repeated": 0, "id": 4789 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags" } ], "repeated": 0, "id": 4790 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes" } ], "repeated": 0, "id": 4791 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID" } ], "repeated": 0, "id": 4792 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler" } ], "repeated": 0, "id": 4793 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PropertyBag" } ], "repeated": 0, "id": 4794 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 4795 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4796 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4797 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}" } ], "repeated": 0, "id": 4798 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 4799 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Category" } ], "repeated": 0, "id": 4800 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "AccountPictures" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Name" } ], "repeated": 0, "id": 4801 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\ParentFolder" } ], "repeated": 0, "id": 4802 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Description" } ], "repeated": 0, "id": 4803 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\AccountPictures" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\RelativePath" } ], "repeated": 0, "id": 4804 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\ParsingName" } ], "repeated": 0, "id": 4805 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\InfoTip" } ], "repeated": 0, "id": 4806 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "@C:\\Windows\\SysWOW64\\Windows.UI.Immersive.dll,-38305" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\LocalizedName" } ], "repeated": 0, "id": 4807 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Icon" } ], "repeated": 0, "id": 4808 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Security" } ], "repeated": 0, "id": 4809 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\StreamResource" } ], "repeated": 0, "id": 4810 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\StreamResourceType" } ], "repeated": 0, "id": 4811 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4812 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "Roamable" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Roamable" } ], "repeated": 0, "id": 4813 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\PreCreate" } ], "repeated": 0, "id": 4814 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Stream" } ], "repeated": 0, "id": 4815 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\PublishExpandedPath" } ], "repeated": 0, "id": 4816 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\DefinitionFlags" } ], "repeated": 0, "id": 4817 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Attributes" } ], "repeated": 0, "id": 4818 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\FolderTypeID" } ], "repeated": 0, "id": 4819 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\InitFolderHandler" } ], "repeated": 0, "id": 4820 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ec" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\PropertyBag" } ], "repeated": 0, "id": 4821 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 4822 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4823 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4824 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ec" }, { "name": "ObjectAttributesName", "value": "{3214FAB5-9757-4298-BB61-92A9DEAA44FF}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}" } ], "repeated": 0, "id": 4825 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 4826 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Category" } ], "repeated": 0, "id": 4827 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "CommonMusic" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Name" } ], "repeated": 0, "id": 4828 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\ParentFolder" } ], "repeated": 0, "id": 4829 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Description" } ], "repeated": 0, "id": 4830 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Music" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\RelativePath" } ], "repeated": 0, "id": 4831 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\ParsingName" } ], "repeated": 0, "id": 4832 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-12689" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\InfoTip" } ], "repeated": 0, "id": 4833 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21803" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\LocalizedName" } ], "repeated": 0, "id": 4834 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Icon" } ], "repeated": 0, "id": 4835 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Security" } ], "repeated": 0, "id": 4836 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\StreamResource" } ], "repeated": 0, "id": 4837 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\StreamResourceType" } ], "repeated": 0, "id": 4838 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4839 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Roamable" } ], "repeated": 0, "id": 4840 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\PreCreate" } ], "repeated": 0, "id": 4841 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Stream" } ], "repeated": 0, "id": 4842 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\PublishExpandedPath" } ], "repeated": 0, "id": 4843 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\DefinitionFlags" } ], "repeated": 0, "id": 4844 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Attributes" } ], "repeated": 0, "id": 4845 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\FolderTypeID" } ], "repeated": 0, "id": 4846 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\InitFolderHandler" } ], "repeated": 0, "id": 4847 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ec" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\PropertyBag" } ], "repeated": 0, "id": 4848 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 4849 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4850 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4851 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}" } ], "repeated": 0, "id": 4852 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 4853 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Category" } ], "repeated": 0, "id": 4854 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "SearchHistoryFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Name" } ], "repeated": 0, "id": 4855 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\ParentFolder" } ], "repeated": 0, "id": 4856 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Description" } ], "repeated": 0, "id": 4857 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\ConnectedSearch\\History" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\RelativePath" } ], "repeated": 0, "id": 4858 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\ParsingName" } ], "repeated": 0, "id": 4859 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\InfoTip" } ], "repeated": 0, "id": 4860 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\LocalizedName" } ], "repeated": 0, "id": 4861 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Icon" } ], "repeated": 0, "id": 4862 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Security" } ], "repeated": 0, "id": 4863 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\StreamResource" } ], "repeated": 0, "id": 4864 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\StreamResourceType" } ], "repeated": 0, "id": 4865 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4866 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Roamable" } ], "repeated": 0, "id": 4867 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\PreCreate" } ], "repeated": 0, "id": 4868 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Stream" } ], "repeated": 0, "id": 4869 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\PublishExpandedPath" } ], "repeated": 0, "id": 4870 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\DefinitionFlags" } ], "repeated": 0, "id": 4871 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Attributes" } ], "repeated": 0, "id": 4872 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\FolderTypeID" } ], "repeated": 0, "id": 4873 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\InitFolderHandler" } ], "repeated": 0, "id": 4874 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f0" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\PropertyBag" } ], "repeated": 0, "id": 4875 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" } ], "repeated": 0, "id": 4876 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4877 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4878 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f0" }, { "name": "ObjectAttributesName", "value": "{905E63B6-C1BF-494E-B29C-65B732D3D21A}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905E63B6-C1BF-494E-B29C-65B732D3D21A}" } ], "repeated": 0, "id": 4879 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" } ], "repeated": 0, "id": 4880 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Category" } ], "repeated": 0, "id": 4881 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "ProgramFiles" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Name" } ], "repeated": 0, "id": 4882 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParentFolder" } ], "repeated": 0, "id": 4883 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Description" } ], "repeated": 0, "id": 4884 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\RelativePath" } ], "repeated": 0, "id": 4885 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParsingName" } ], "repeated": 0, "id": 4886 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InfoTip" } ], "repeated": 0, "id": 4887 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21781" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalizedName" } ], "repeated": 0, "id": 4888 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Icon" } ], "repeated": 0, "id": 4889 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Security" } ], "repeated": 0, "id": 4890 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResource" } ], "repeated": 0, "id": 4891 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResourceType" } ], "repeated": 0, "id": 4892 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4893 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Roamable" } ], "repeated": 0, "id": 4894 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PreCreate" } ], "repeated": 0, "id": 4895 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Stream" } ], "repeated": 0, "id": 4896 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PublishExpandedPath" } ], "repeated": 0, "id": 4897 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\DefinitionFlags" } ], "repeated": 0, "id": 4898 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Attributes" } ], "repeated": 0, "id": 4899 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\FolderTypeID" } ], "repeated": 0, "id": 4900 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InitFolderHandler" } ], "repeated": 0, "id": 4901 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PropertyBag" } ], "repeated": 0, "id": 4902 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 4903 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4904 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4905 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}" } ], "repeated": 0, "id": 4906 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 4907 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Category" } ], "repeated": 0, "id": 4908 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Fonts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Name" } ], "repeated": 0, "id": 4909 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F38BF404-1D43-42F2-9305-67DE0B28FC23}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\ParentFolder" } ], "repeated": 0, "id": 4910 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Description" } ], "repeated": 0, "id": 4911 }, { "timestamp": "2026-06-29 22:15:01,765", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\RelativePath" } ], "repeated": 0, "id": 4912 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\ParsingName" } ], "repeated": 0, "id": 4913 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\InfoTip" } ], "repeated": 0, "id": 4914 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\LocalizedName" } ], "repeated": 0, "id": 4915 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Icon" } ], "repeated": 0, "id": 4916 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Security" } ], "repeated": 0, "id": 4917 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\StreamResource" } ], "repeated": 0, "id": 4918 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\StreamResourceType" } ], "repeated": 0, "id": 4919 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4920 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Roamable" } ], "repeated": 0, "id": 4921 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PreCreate" } ], "repeated": 0, "id": 4922 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Stream" } ], "repeated": 0, "id": 4923 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PublishExpandedPath" } ], "repeated": 0, "id": 4924 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\DefinitionFlags" } ], "repeated": 0, "id": 4925 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Attributes" } ], "repeated": 0, "id": 4926 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\FolderTypeID" } ], "repeated": 0, "id": 4927 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\InitFolderHandler" } ], "repeated": 0, "id": 4928 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PropertyBag" } ], "repeated": 0, "id": 4929 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f4" } ], "repeated": 0, "id": 4930 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4931 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4932 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f4" }, { "name": "ObjectAttributesName", "value": "{B97D20BB-F46A-4C97-BA10-5E3608430854}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}" } ], "repeated": 0, "id": 4933 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f4" } ], "repeated": 0, "id": 4934 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Category" } ], "repeated": 0, "id": 4935 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Startup" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Name" } ], "repeated": 0, "id": 4936 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParentFolder" } ], "repeated": 0, "id": 4937 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Description" } ], "repeated": 0, "id": 4938 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "StartUp" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\RelativePath" } ], "repeated": 0, "id": 4939 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParsingName" } ], "repeated": 0, "id": 4940 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InfoTip" } ], "repeated": 0, "id": 4941 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21787" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalizedName" } ], "repeated": 0, "id": 4942 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Icon" } ], "repeated": 0, "id": 4943 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Security" } ], "repeated": 0, "id": 4944 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResource" } ], "repeated": 0, "id": 4945 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResourceType" } ], "repeated": 0, "id": 4946 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4947 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Roamable" } ], "repeated": 0, "id": 4948 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PreCreate" } ], "repeated": 0, "id": 4949 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Stream" } ], "repeated": 0, "id": 4950 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PublishExpandedPath" } ], "repeated": 0, "id": 4951 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\DefinitionFlags" } ], "repeated": 0, "id": 4952 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Attributes" } ], "repeated": 0, "id": 4953 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\FolderTypeID" } ], "repeated": 0, "id": 4954 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InitFolderHandler" } ], "repeated": 0, "id": 4955 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PropertyBag" } ], "repeated": 0, "id": 4956 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4957 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4958 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4959 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}" } ], "repeated": 0, "id": 4960 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 4961 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Category" } ], "repeated": 0, "id": 4962 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "AppDataFavorites" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Name" } ], "repeated": 0, "id": 4963 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\ParentFolder" } ], "repeated": 0, "id": 4964 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Description" } ], "repeated": 0, "id": 4965 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Favorites" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\RelativePath" } ], "repeated": 0, "id": 4966 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\ParsingName" } ], "repeated": 0, "id": 4967 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\InfoTip" } ], "repeated": 0, "id": 4968 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\LocalizedName" } ], "repeated": 0, "id": 4969 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Icon" } ], "repeated": 0, "id": 4970 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Security" } ], "repeated": 0, "id": 4971 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\StreamResource" } ], "repeated": 0, "id": 4972 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\StreamResourceType" } ], "repeated": 0, "id": 4973 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\LocalRedirectOnly" } ], "repeated": 0, "id": 4974 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Roamable" } ], "repeated": 0, "id": 4975 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\PreCreate" } ], "repeated": 0, "id": 4976 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Stream" } ], "repeated": 0, "id": 4977 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\PublishExpandedPath" } ], "repeated": 0, "id": 4978 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\DefinitionFlags" } ], "repeated": 0, "id": 4979 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Attributes" } ], "repeated": 0, "id": 4980 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\FolderTypeID" } ], "repeated": 0, "id": 4981 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\InitFolderHandler" } ], "repeated": 0, "id": 4982 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\PropertyBag" } ], "repeated": 0, "id": 4983 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f4" } ], "repeated": 0, "id": 4984 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4985 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 4986 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f4" }, { "name": "ObjectAttributesName", "value": "{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}" } ], "repeated": 0, "id": 4987 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f4" } ], "repeated": 0, "id": 4988 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Category" } ], "repeated": 0, "id": 4989 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Recorded Calls" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Name" } ], "repeated": 0, "id": 4990 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{5E6C858F-0E22-4760-9AFE-EA3317B67173}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\ParentFolder" } ], "repeated": 0, "id": 4991 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Description" } ], "repeated": 0, "id": 4992 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Recorded Calls" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\RelativePath" } ], "repeated": 0, "id": 4993 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\ParsingName" } ], "repeated": 0, "id": 4994 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\InfoTip" } ], "repeated": 0, "id": 4995 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-21827" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\LocalizedName" } ], "repeated": 0, "id": 4996 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Icon" } ], "repeated": 0, "id": 4997 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Security" } ], "repeated": 0, "id": 4998 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\StreamResource" } ], "repeated": 0, "id": 4999 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\StreamResourceType" } ], "repeated": 0, "id": 5000 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\LocalRedirectOnly" } ], "repeated": 0, "id": 5001 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Roamable" } ], "repeated": 0, "id": 5002 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\PreCreate" } ], "repeated": 0, "id": 5003 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Stream" } ], "repeated": 0, "id": 5004 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\PublishExpandedPath" } ], "repeated": 0, "id": 5005 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\DefinitionFlags" } ], "repeated": 0, "id": 5006 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Attributes" } ], "repeated": 0, "id": 5007 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\FolderTypeID" } ], "repeated": 0, "id": 5008 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\InitFolderHandler" } ], "repeated": 0, "id": 5009 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\PropertyBag" } ], "repeated": 0, "id": 5010 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5011 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5012 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" } ], "repeated": 0, "id": 5013 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5014 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 5015 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5016 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 5017 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003c4" } ], "repeated": 0, "id": 5018 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5019 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "H\\xf0\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5020 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 5021 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003f4" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 5022 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f4" } ], "repeated": 0, "id": 5023 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "L\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff\\xcc\\xee\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0st\\xf0\\xee\\xec\\x04\\xec\\xee\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 5024 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 5025 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 5026 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f4" } ], "repeated": 0, "id": 5027 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}" } ], "repeated": 0, "id": 5028 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747ba61c", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003f4" } ], "repeated": 0, "id": 5029 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747ba7ad", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8+g\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5030 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5031 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 5032 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 5033 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "C:\\Users\\Rajesh" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath" } ], "repeated": 0, "id": 5034 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x740d8463", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5035 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747ba66b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f4" } ], "repeated": 0, "id": 5036 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5037 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d8" } ], "repeated": 0, "id": 5038 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5039 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5040 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}" } ], "repeated": 0, "id": 5041 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d8" } ], "repeated": 0, "id": 5042 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Category" } ], "repeated": 0, "id": 5043 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Start Menu" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Name" } ], "repeated": 0, "id": 5044 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\ParentFolder" } ], "repeated": 0, "id": 5045 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Description" } ], "repeated": 0, "id": 5046 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft\\Windows\\Start Menu" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\RelativePath" } ], "repeated": 0, "id": 5047 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\ParsingName" } ], "repeated": 0, "id": 5048 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\InfoTip" } ], "repeated": 0, "id": 5049 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\shell32.dll,-21786" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\LocalizedName" } ], "repeated": 0, "id": 5050 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Icon" } ], "repeated": 0, "id": 5051 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Security" } ], "repeated": 0, "id": 5052 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\StreamResource" } ], "repeated": 0, "id": 5053 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\StreamResourceType" } ], "repeated": 0, "id": 5054 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\LocalRedirectOnly" } ], "repeated": 0, "id": 5055 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Roamable" } ], "repeated": 0, "id": 5056 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PreCreate" } ], "repeated": 0, "id": 5057 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Stream" } ], "repeated": 0, "id": 5058 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PublishExpandedPath" } ], "repeated": 0, "id": 5059 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\DefinitionFlags" } ], "repeated": 0, "id": 5060 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Attributes" } ], "repeated": 0, "id": 5061 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\FolderTypeID" } ], "repeated": 0, "id": 5062 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\InitFolderHandler" } ], "repeated": 0, "id": 5063 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PropertyBag" } ], "repeated": 0, "id": 5064 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5065 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5066 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5067 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}" } ], "repeated": 0, "id": 5068 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5069 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Category" } ], "repeated": 0, "id": 5070 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "NetworkPlacesFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Name" } ], "repeated": 0, "id": 5071 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\ParentFolder" } ], "repeated": 0, "id": 5072 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Description" } ], "repeated": 0, "id": 5073 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\RelativePath" } ], "repeated": 0, "id": 5074 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\ParsingName" } ], "repeated": 0, "id": 5075 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\InfoTip" } ], "repeated": 0, "id": 5076 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\LocalizedName" } ], "repeated": 0, "id": 5077 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Icon" } ], "repeated": 0, "id": 5078 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Security" } ], "repeated": 0, "id": 5079 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\StreamResource" } ], "repeated": 0, "id": 5080 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\StreamResourceType" } ], "repeated": 0, "id": 5081 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\LocalRedirectOnly" } ], "repeated": 0, "id": 5082 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Roamable" } ], "repeated": 0, "id": 5083 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\PreCreate" } ], "repeated": 0, "id": 5084 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Stream" } ], "repeated": 0, "id": 5085 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\PublishExpandedPath" } ], "repeated": 0, "id": 5086 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\DefinitionFlags" } ], "repeated": 0, "id": 5087 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Attributes" } ], "repeated": 0, "id": 5088 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\FolderTypeID" } ], "repeated": 0, "id": 5089 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\InitFolderHandler" } ], "repeated": 0, "id": 5090 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\PropertyBag" } ], "repeated": 0, "id": 5091 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d8" } ], "repeated": 0, "id": 5092 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5093 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5094 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "{DE92C1C7-837F-4F69-A3BB-86E631204A23}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}" } ], "repeated": 0, "id": 5095 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d8" } ], "repeated": 0, "id": 5096 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Category" } ], "repeated": 0, "id": 5097 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Playlists" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Name" } ], "repeated": 0, "id": 5098 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{4BD8D571-6D19-48D3-BE97-422220080E43}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\ParentFolder" } ], "repeated": 0, "id": 5099 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Description" } ], "repeated": 0, "id": 5100 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Playlists" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\RelativePath" } ], "repeated": 0, "id": 5101 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\ParsingName" } ], "repeated": 0, "id": 5102 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\InfoTip" } ], "repeated": 0, "id": 5103 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-21818" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\LocalizedName" } ], "repeated": 0, "id": 5104 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Icon" } ], "repeated": 0, "id": 5105 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Security" } ], "repeated": 0, "id": 5106 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\StreamResource" } ], "repeated": 0, "id": 5107 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\StreamResourceType" } ], "repeated": 0, "id": 5108 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\LocalRedirectOnly" } ], "repeated": 0, "id": 5109 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Roamable" } ], "repeated": 0, "id": 5110 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\PreCreate" } ], "repeated": 0, "id": 5111 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Stream" } ], "repeated": 0, "id": 5112 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\PublishExpandedPath" } ], "repeated": 0, "id": 5113 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\DefinitionFlags" } ], "repeated": 0, "id": 5114 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Attributes" } ], "repeated": 0, "id": 5115 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\FolderTypeID" } ], "repeated": 0, "id": 5116 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\InitFolderHandler" } ], "repeated": 0, "id": 5117 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\PropertyBag" } ], "repeated": 0, "id": 5118 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5119 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5120 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5121 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{10C07CD0-EF91-4567-B850-448B77CB37F9}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}" } ], "repeated": 0, "id": 5122 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5123 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Category" } ], "repeated": 0, "id": 5124 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "DpapiKeys" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Name" } ], "repeated": 0, "id": 5125 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\ParentFolder" } ], "repeated": 0, "id": 5126 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Description" } ], "repeated": 0, "id": 5127 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\RelativePath" } ], "repeated": 0, "id": 5128 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\ParsingName" } ], "repeated": 0, "id": 5129 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\InfoTip" } ], "repeated": 0, "id": 5130 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\LocalizedName" } ], "repeated": 0, "id": 5131 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Icon" } ], "repeated": 0, "id": 5132 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Security" } ], "repeated": 0, "id": 5133 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\StreamResource" } ], "repeated": 0, "id": 5134 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\StreamResourceType" } ], "repeated": 0, "id": 5135 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\LocalRedirectOnly" } ], "repeated": 0, "id": 5136 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Roamable" } ], "repeated": 0, "id": 5137 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\PreCreate" } ], "repeated": 0, "id": 5138 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Stream" } ], "repeated": 0, "id": 5139 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\PublishExpandedPath" } ], "repeated": 0, "id": 5140 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\DefinitionFlags" } ], "repeated": 0, "id": 5141 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Attributes" } ], "repeated": 0, "id": 5142 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\FolderTypeID" } ], "repeated": 0, "id": 5143 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\InitFolderHandler" } ], "repeated": 0, "id": 5144 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\PropertyBag" } ], "repeated": 0, "id": 5145 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f4" } ], "repeated": 0, "id": 5146 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5147 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5148 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f4" }, { "name": "ObjectAttributesName", "value": "{FDD39AD0-238F-46AF-ADB4-6C85480369C7}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}" } ], "repeated": 0, "id": 5149 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f4" } ], "repeated": 0, "id": 5150 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Category" } ], "repeated": 0, "id": 5151 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Personal" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Name" } ], "repeated": 0, "id": 5152 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParentFolder" } ], "repeated": 0, "id": 5153 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Description" } ], "repeated": 0, "id": 5154 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Documents" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\RelativePath" } ], "repeated": 0, "id": 5155 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParsingName" } ], "repeated": 0, "id": 5156 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8561e", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParsingName" } ], "repeated": 0, "id": 5157 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\InfoTip" } ], "repeated": 0, "id": 5158 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "@%SystemRoot%\\system32\\windows.storage.dll,-21770" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\LocalizedName" } ], "repeated": 0, "id": 5159 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\imageres.dll,-112" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Icon" } ], "repeated": 0, "id": 5160 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Security" } ], "repeated": 0, "id": 5161 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\StreamResource" } ], "repeated": 0, "id": 5162 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\StreamResourceType" } ], "repeated": 0, "id": 5163 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\LocalRedirectOnly" } ], "repeated": 0, "id": 5164 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Roamable" } ], "repeated": 0, "id": 5165 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PreCreate" } ], "repeated": 0, "id": 5166 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Stream" } ], "repeated": 0, "id": 5167 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PublishExpandedPath" } ], "repeated": 0, "id": 5168 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\DefinitionFlags" } ], "repeated": 0, "id": 5169 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Attributes" } ], "repeated": 0, "id": 5170 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\FolderTypeID" } ], "repeated": 0, "id": 5171 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\InitFolderHandler" } ], "repeated": 0, "id": 5172 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PropertyBag" } ], "repeated": 0, "id": 5173 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5174 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 5175 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Hide" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 5176 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747be08d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003c4" } ], "repeated": 0, "id": 5177 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x747be0b3", "parentcaller": "0x747be9b1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5178 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747be0d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5179 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xd3\\x9c\\xb8u\\x00\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\xc6\\xce\\xa4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc4\\x03\\x00\\x00\\xcc\\xf2\\xec\\x04p\\x07\\xbbu" } ], "repeated": 0, "id": 5180 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 5181 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 5182 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "DisablePersonalDirChange" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange" } ], "repeated": 0, "id": 5183 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5184 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747beb42", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000c" }, { "name": "TokenHandle", "value": "0x000003e8" } ], "repeated": 0, "id": 5185 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 5186 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5187 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 5188 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5189 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 5190 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747be1ec", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf8/g\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\xf2\\xec\\x04D&\\xb9u\\xff\\xff\\xff\\xff\\x0c\\x00\\x00\\x00L\\xf2\\xec\\x04" } ], "repeated": 0, "id": 5191 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5192 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" } ], "repeated": 0, "id": 5193 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747beba4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5194 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020006", "pretty_value": "KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 5195 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec02", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5196 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec1e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5197 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5198 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5199 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}" } ], "repeated": 0, "id": 5200 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5201 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Category" } ], "repeated": 0, "id": 5202 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "OEM Links" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Name" } ], "repeated": 0, "id": 5203 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\ParentFolder" } ], "repeated": 0, "id": 5204 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Description" } ], "repeated": 0, "id": 5205 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "OEM Links" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\RelativePath" } ], "repeated": 0, "id": 5206 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\ParsingName" } ], "repeated": 0, "id": 5207 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\InfoTip" } ], "repeated": 0, "id": 5208 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\LocalizedName" } ], "repeated": 0, "id": 5209 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Icon" } ], "repeated": 0, "id": 5210 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Security" } ], "repeated": 0, "id": 5211 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\StreamResource" } ], "repeated": 0, "id": 5212 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\StreamResourceType" } ], "repeated": 0, "id": 5213 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\LocalRedirectOnly" } ], "repeated": 0, "id": 5214 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Roamable" } ], "repeated": 0, "id": 5215 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\PreCreate" } ], "repeated": 0, "id": 5216 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Stream" } ], "repeated": 0, "id": 5217 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\PublishExpandedPath" } ], "repeated": 0, "id": 5218 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\DefinitionFlags" } ], "repeated": 0, "id": 5219 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Attributes" } ], "repeated": 0, "id": 5220 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\FolderTypeID" } ], "repeated": 0, "id": 5221 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\InitFolderHandler" } ], "repeated": 0, "id": 5222 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\PropertyBag" } ], "repeated": 0, "id": 5223 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5224 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5225 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5226 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "{190337D1-B8CA-4121-A639-6D472D16972A}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337D1-B8CA-4121-A639-6D472D16972A}" } ], "repeated": 0, "id": 5227 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5228 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Category" } ], "repeated": 0, "id": 5229 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "SearchHomeFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Name" } ], "repeated": 0, "id": 5230 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\ParentFolder" } ], "repeated": 0, "id": 5231 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Description" } ], "repeated": 0, "id": 5232 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\RelativePath" } ], "repeated": 0, "id": 5233 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{9343812e-1c37-4a49-a12e-4b2d810d956b}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\ParsingName" } ], "repeated": 0, "id": 5234 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\InfoTip" } ], "repeated": 0, "id": 5235 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\LocalizedName" } ], "repeated": 0, "id": 5236 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Icon" } ], "repeated": 0, "id": 5237 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Security" } ], "repeated": 0, "id": 5238 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\StreamResource" } ], "repeated": 0, "id": 5239 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\StreamResourceType" } ], "repeated": 0, "id": 5240 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\LocalRedirectOnly" } ], "repeated": 0, "id": 5241 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Roamable" } ], "repeated": 0, "id": 5242 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\PreCreate" } ], "repeated": 0, "id": 5243 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Stream" } ], "repeated": 0, "id": 5244 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\PublishExpandedPath" } ], "repeated": 0, "id": 5245 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\DefinitionFlags" } ], "repeated": 0, "id": 5246 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Attributes" } ], "repeated": 0, "id": 5247 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\FolderTypeID" } ], "repeated": 0, "id": 5248 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\InitFolderHandler" } ], "repeated": 0, "id": 5249 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\PropertyBag" } ], "repeated": 0, "id": 5250 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5251 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000378" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 5252 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000378" }, { "name": "ValueName", "value": "ThisPCPolicy" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Show" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PropertyBag\\ThisPCPolicy" } ], "repeated": 0, "id": 5253 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000378" }, { "name": "ValueName", "value": "BaseFolderId" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PropertyBag\\BaseFolderId" } ], "repeated": 0, "id": 5254 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000378" }, { "name": "ValueName", "value": "BaseFolderId" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{FDD39AD0-238F-46AF-ADB4-6C85480369C7}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PropertyBag\\BaseFolderId" } ], "repeated": 0, "id": 5255 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747be08d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003c4" } ], "repeated": 0, "id": 5256 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x747be0b3", "parentcaller": "0x747be9b1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5257 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747be0d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5258 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xd3\\x9c\\xb8u\\x00\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\xc6\\xce\\xa4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc4\\x03\\x00\\x00\\xcc\\xf2\\xec\\x04p\\x07\\xbbu" } ], "repeated": 0, "id": 5259 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 5260 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 5261 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "DisablePersonalDirChange" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange" } ], "repeated": 0, "id": 5262 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5263 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747beb42", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000c" }, { "name": "TokenHandle", "value": "0x000003e8" } ], "repeated": 0, "id": 5264 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 5265 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5266 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 5267 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5268 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server" } ], "repeated": 0, "id": 5269 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747be1ec", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf8/g\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\xf2\\xec\\x04D&\\xb9u\\xff\\xff\\xff\\xff\\x0c\\x00\\x00\\x00L\\xf2\\xec\\x04" } ], "repeated": 0, "id": 5270 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5271 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy" } ], "repeated": 0, "id": 5272 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747beba4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5273 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020006", "pretty_value": "KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 5274 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec02", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5275 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bec1e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5276 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5277 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" } ], "repeated": 0, "id": 5278 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5279 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 5280 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5281 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 5282 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5283 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5284 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{1C2AC1DC-4358-4B6C-9733-AF21156576F0}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}" } ], "repeated": 0, "id": 5285 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5286 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Category" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Category" } ], "repeated": 0, "id": 5287 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "ThisDeviceFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Name" } ], "repeated": 0, "id": 5288 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\ParentFolder" } ], "repeated": 0, "id": 5289 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Description" } ], "repeated": 0, "id": 5290 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\RelativePath" } ], "repeated": 0, "id": 5291 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "::{f8278c54-a712-415b-b593-b77a2be0dda9}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\ParsingName" } ], "repeated": 0, "id": 5292 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\InfoTip" } ], "repeated": 0, "id": 5293 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\LocalizedName" } ], "repeated": 0, "id": 5294 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Icon" } ], "repeated": 0, "id": 5295 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Security" } ], "repeated": 0, "id": 5296 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\StreamResource" } ], "repeated": 0, "id": 5297 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\StreamResourceType" } ], "repeated": 0, "id": 5298 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\LocalRedirectOnly" } ], "repeated": 0, "id": 5299 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Roamable" } ], "repeated": 0, "id": 5300 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\PreCreate" } ], "repeated": 0, "id": 5301 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Stream" } ], "repeated": 0, "id": 5302 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\PublishExpandedPath" } ], "repeated": 0, "id": 5303 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\DefinitionFlags" } ], "repeated": 0, "id": 5304 }, { "timestamp": "2026-06-29 22:15:01,781", "thread_id": "168", "caller": "0x75b85453", "parentcaller": "0x75b85243", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Attributes" } ], "repeated": 0, "id": 5305 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\PropertyBag" } ], "repeated": 0, "id": 5306 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5307 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5308 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5309 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "{54EED2E0-E7CA-4FDB-9148-0F4247291CFA}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{54EED2E0-E7CA-4FDB-9148-0F4247291CFA}" } ], "repeated": 0, "id": 5310 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5311 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{54EED2E0-E7CA-4fdb-9148-0F4247291CFA}\\PropertyBag" } ], "repeated": 0, "id": 5312 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5313 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5314 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5315 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}" } ], "repeated": 0, "id": 5316 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5317 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}\\PropertyBag" } ], "repeated": 0, "id": 5318 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5319 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5320 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" } ], "repeated": 0, "id": 5321 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5322 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 5323 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5324 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 5325 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003e8" } ], "repeated": 0, "id": 5326 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5327 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "H\\xf0\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5328 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 5329 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 5330 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5331 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "L\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff\\xcc\\xee\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0st\\xf0\\xee\\xec\\x04\\xec\\xee\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 5332 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 5333 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 5334 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5335 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747ba61c", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003c4" } ], "repeated": 0, "id": 5336 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747ba7ad", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x000g\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5337 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5338 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 5339 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x740d8463", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5340 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747ba66b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5341 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5342 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 5343 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5344 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5345 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f8" }, { "name": "ObjectAttributesName", "value": "{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}" } ], "repeated": 0, "id": 5346 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 5347 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5cd7aee2-2219-4a67-b85d-6c9ce15660cb}\\PropertyBag" } ], "repeated": 0, "id": 5348 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5349 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5350 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5351 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "{B94237E7-57AC-4347-9151-B08C6C32D1F7}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B94237E7-57AC-4347-9151-B08C6C32D1F7}" } ], "repeated": 0, "id": 5352 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5353 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B94237E7-57AC-4347-9151-B08C6C32D1F7}\\PropertyBag" } ], "repeated": 0, "id": 5354 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 5355 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5356 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5357 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f8" }, { "name": "ObjectAttributesName", "value": "{352481E8-33BE-4251-BA85-6007CAEDCF9D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}" } ], "repeated": 0, "id": 5358 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 5359 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\PropertyBag" } ], "repeated": 0, "id": 5360 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5361 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5362 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5363 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "{A63293E8-664E-48DB-A079-DF759E0509F7}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A63293E8-664E-48DB-A079-DF759E0509F7}" } ], "repeated": 0, "id": 5364 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5365 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A63293E8-664E-48DB-A079-DF759E0509F7}\\PropertyBag" } ], "repeated": 0, "id": 5366 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 5367 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5368 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5369 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f8" }, { "name": "ObjectAttributesName", "value": "{5CE4A5E9-E4EB-479D-B89F-130C02886155}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5CE4A5E9-E4EB-479D-B89F-130C02886155}" } ], "repeated": 0, "id": 5370 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 5371 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5CE4A5E9-E4EB-479D-B89F-130C02886155}\\PropertyBag" } ], "repeated": 0, "id": 5372 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5373 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5374 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5375 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "{82A74AEB-AEB4-465C-A014-D097EE346D63}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A74AEB-AEB4-465C-A014-D097EE346D63}" } ], "repeated": 0, "id": 5376 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5377 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A74AEB-AEB4-465C-A014-D097EE346D63}\\PropertyBag" } ], "repeated": 0, "id": 5378 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 5379 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5380 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5381 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003f8" }, { "name": "ObjectAttributesName", "value": "{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}" } ], "repeated": 0, "id": 5382 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 5383 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PropertyBag" } ], "repeated": 0, "id": 5384 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5385 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5386 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5387 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "{43668BF8-C14E-49B2-97C9-747784D784B7}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{43668BF8-C14E-49B2-97C9-747784D784B7}" } ], "repeated": 0, "id": 5388 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5389 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{43668BF8-C14E-49B2-97C9-747784D784B7}\\PropertyBag" } ], "repeated": 0, "id": 5390 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5391 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5392 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5393 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{915221FB-9EFE-4BDA-8FD7-F78DCA774F87}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{915221FB-9EFE-4BDA-8FD7-F78DCA774F87}" } ], "repeated": 0, "id": 5394 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5395 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{915221FB-9EFE-4bda-8FD7-F78DCA774F87}\\PropertyBag" } ], "repeated": 0, "id": 5396 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5397 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5398 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5399 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "{7E636BFE-DFA9-4D5E-B456-D7B39851D8A9}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7E636BFE-DFA9-4D5E-B456-D7B39851D8A9}" } ], "repeated": 0, "id": 5400 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5401 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7E636BFE-DFA9-4D5E-B456-D7B39851D8A9}\\PropertyBag" } ], "repeated": 0, "id": 5402 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5403 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5404 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 5405 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}" } ], "repeated": 0, "id": 5406 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bd698", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5407 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "PropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4C5C32FF-BB9D-43b0-B5B4-2D72E54EAAA4}\\PropertyBag" } ], "repeated": 0, "id": 5408 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747bdebf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5409 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5410 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist" } ], "repeated": 0, "id": 5411 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5412 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 5413 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5414 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration" } ], "repeated": 0, "id": 5415 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003e8" } ], "repeated": 0, "id": 5416 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5417 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "H\\xf0\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5418 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 5419 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 5420 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5421 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "L\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff\\xcc\\xee\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0st\\xf0\\xee\\xec\\x04\\xec\\xee\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 5422 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 5423 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003c4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 5424 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5425 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747ba61c", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003c4" } ], "repeated": 0, "id": 5426 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747ba7ad", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X,g\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5427 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5428 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000404" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 5429 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x740d8463", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 5430 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747ba66b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5431 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5432 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5433 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003fc" } ], "repeated": 0, "id": 5434 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 5435 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5436 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5437 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5438 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5439 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 5440 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 5441 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5442 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5443 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xc6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xc7\\xec\\xc6\\xe0\\xc6\\xfe\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x88\\xc9\\xec\\x04\\xbc^\\xb8u\\xfe\\x03\\x00\\x00" } ], "repeated": 0, "id": 5444 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 5445 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fe" } ], "repeated": 0, "id": 5446 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 5447 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f0bb", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 5448 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 5449 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5450 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\Searches\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5451 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75baa9ec", "parentcaller": "0x7480f158", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Searches\\desktop.ini" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x10\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5452 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b90e6c", "parentcaller": "0x7480f1a1", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Searches\\desktop.ini" }, { "name": "Buffer", "value": "\\xff\\xfe\r\\x00\n\\x00[\\x00.\\x00S\\x00h\\x00e\\x00l\\x00l\\x00C\\x00l\\x00a\\x00s\\x00s\\x00I\\x00n\\x00f\\x00o\\x00]\\x00\r\\x00\n\\x00L\\x00o\\x00c\\x00a\\x00l\\x00i\\x00z\\x00e\\x00d\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00N\\x00a\\x00m\\x00e\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x009\\x000\\x003\\x001\\x00\r\\x00\n\\x00I\\x00c\\x00o\\x00n\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00=\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00i\\x00m\\x00a\\x00g\\x00e\\x00r\\x00e\\x00" }, { "name": "Length", "value": "524" } ], "repeated": 0, "id": 5453 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x7480f1f4", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Searches\\desktop.ini" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "\\xd2@\\x08\\xf8v\\x07\\xdd\\x01LS\\x12\\xf0|\\x07\\xdd\\x01\\xa3z\"\\xf8v\\x07\\xdd\\x01\\xa3z\"\\xf8v\\x07\\xdd\\x01\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5454 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7480f20b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5455 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x7480f215", "parentcaller": "0x7480f05c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5456 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f254", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 5457 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 5458 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5459 }, { "timestamp": "2026-06-29 22:15:01,812", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c18d3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 5460 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003fc" } ], "repeated": 0, "id": 5461 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 5462 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5463 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5464 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5465 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5466 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 5467 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 5468 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5469 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5470 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xc6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xc7\\xec\\xc6\\xe0\\xc6\\xfe\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x88\\xc9\\xec\\x04\\xbc^\\xb8u\\xfe\\x03\\x00\\x00" } ], "repeated": 0, "id": 5471 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 5472 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fe" } ], "repeated": 0, "id": 5473 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 5474 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f0bb", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 5475 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 5476 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5477 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\Contacts\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5478 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75baa9ec", "parentcaller": "0x7480f158", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Contacts\\desktop.ini" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\xa0\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x9c\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5479 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b90e6c", "parentcaller": "0x7480f1a1", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Contacts\\desktop.ini" }, { "name": "Buffer", "value": "\\xff\\xfe\r\\x00\n\\x00[\\x00.\\x00S\\x00h\\x00e\\x00l\\x00l\\x00C\\x00l\\x00a\\x00s\\x00s\\x00I\\x00n\\x00f\\x00o\\x00]\\x00\r\\x00\n\\x00L\\x00o\\x00c\\x00a\\x00l\\x00i\\x00z\\x00e\\x00d\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00N\\x00a\\x00m\\x00e\\x00=\\x00@\\x00%\\x00C\\x00o\\x00m\\x00m\\x00o\\x00n\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00F\\x00i\\x00l\\x00e\\x00s\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x00\\\\x00w\\x00a\\x00b\\x003\\x002\\x00r\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x001\\x000\\x001\\x000\\x000\\x00\r\\x00\n\\x00I\\x00n\\x00f\\x00o\\x00T\\x00i\\x00p\\x00=\\x00@\\x00%\\x00C\\x00o\\x00m\\x00m\\x00o\\x00n\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00F\\x00i\\x00l\\x00e\\x00s\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00" }, { "name": "Length", "value": "412" } ], "repeated": 0, "id": 5480 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x7480f1f4", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Contacts\\desktop.ini" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "E\\x90\\xf7\\xf7v\\x07\\xdd\\x01LS\\x12\\xf0|\\x07\\xdd\\x01E\\x90\\xf7\\xf7v\\x07\\xdd\\x01E\\x90\\xf7\\xf7v\\x07\\xdd\\x01&\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5481 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7480f20b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5482 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x7480f215", "parentcaller": "0x7480f05c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5483 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f254", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 5484 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 5485 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5486 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c18d3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5487 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003fc" } ], "repeated": 0, "id": 5488 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 5489 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5490 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5491 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5492 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5493 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 5494 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 5495 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5496 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5497 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xc6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xc7\\xec\\xc6\\xe0\\xc6\\xfe\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x88\\xc9\\xec\\x04\\xbc^\\xb8u\\xfe\\x03\\x00\\x00" } ], "repeated": 0, "id": 5498 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 5499 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fe" } ], "repeated": 0, "id": 5500 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 5501 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f0bb", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 5502 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 5503 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5504 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\Favorites\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5505 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75baa9ec", "parentcaller": "0x7480f158", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Favorites\\desktop.ini" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x98\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5506 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b90e6c", "parentcaller": "0x7480f1a1", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Favorites\\desktop.ini" }, { "name": "Buffer", "value": "\\xff\\xfe\r\\x00\n\\x00[\\x00.\\x00S\\x00h\\x00e\\x00l\\x00l\\x00C\\x00l\\x00a\\x00s\\x00s\\x00I\\x00n\\x00f\\x00o\\x00]\\x00\r\\x00\n\\x00L\\x00o\\x00c\\x00a\\x00l\\x00i\\x00z\\x00e\\x00d\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00N\\x00a\\x00m\\x00e\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x002\\x001\\x007\\x009\\x006\\x00\r\\x00\n\\x00I\\x00c\\x00o\\x00n\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00=\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00i\\x00m\\x00a\\x00g\\x00e\\x00r\\x00" }, { "name": "Length", "value": "402" } ], "repeated": 0, "id": 5507 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x7480f1f4", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Favorites\\desktop.ini" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "\\x88\\xf2\\xf9\\xf7v\\x07\\xdd\\x01LS\\x12\\xf0|\\x07\\xdd\\x01\\x88\\xf2\\xf9\\xf7v\\x07\\xdd\\x01\\xfc\\xce\\x00\\xfbv\\x07\\xdd\\x01&\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5508 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7480f20b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5509 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x7480f215", "parentcaller": "0x7480f05c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5510 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f254", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 5511 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 5512 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5513 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c18d3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 5514 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003fc" } ], "repeated": 0, "id": 5515 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 5516 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5517 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5518 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5519 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5520 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 5521 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 5522 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5523 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5524 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xc6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xc7\\xec\\xc6\\xe0\\xc6\\xfe\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x88\\xc9\\xec\\x04\\xbc^\\xb8u\\xfe\\x03\\x00\\x00" } ], "repeated": 0, "id": 5525 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 5526 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fe" } ], "repeated": 0, "id": 5527 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 5528 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f0bb", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 5529 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 5530 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5531 }, { "timestamp": "2026-06-29 22:15:01,828", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\Links\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5532 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75baa9ec", "parentcaller": "0x7480f158", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Links\\desktop.ini" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\xf8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5533 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b90e6c", "parentcaller": "0x7480f1a1", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Links\\desktop.ini" }, { "name": "Buffer", "value": "\\xff\\xfe\r\\x00\n\\x00[\\x00.\\x00S\\x00h\\x00e\\x00l\\x00l\\x00C\\x00l\\x00a\\x00s\\x00s\\x00I\\x00n\\x00f\\x00o\\x00]\\x00\r\\x00\n\\x00L\\x00o\\x00c\\x00a\\x00l\\x00i\\x00z\\x00e\\x00d\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00N\\x00a\\x00m\\x00e\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x002\\x001\\x008\\x001\\x000\\x00\r\\x00\n\\x00I\\x00c\\x00o\\x00n\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00=\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00i\\x00m\\x00a\\x00g\\x00e\\x00r\\x00" }, { "name": "Length", "value": "504" } ], "repeated": 0, "id": 5534 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x7480f1f4", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Links\\desktop.ini" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "\\xebS\\x1b\\xf8v\\x07\\xdd\\x01LS\\x12\\xf0|\\x07\\xdd\\x01\\xff\\xa1)\\xf8v\\x07\\xdd\\x01\\xff\\xa1)\\xf8v\\x07\\xdd\\x01\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5535 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7480f20b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5536 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x7480f215", "parentcaller": "0x7480f05c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5537 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f254", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 5538 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 5539 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5540 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c18d3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5541 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003fc" } ], "repeated": 0, "id": 5542 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 5543 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5544 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5545 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5546 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5547 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 5548 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 5549 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5550 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5551 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xc6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xc7\\xec\\xc6\\xe0\\xc6\\xfe\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x88\\xc9\\xec\\x04\\xbc^\\xb8u\\xfe\\x03\\x00\\x00" } ], "repeated": 0, "id": 5552 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 5553 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fe" } ], "repeated": 0, "id": 5554 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 5555 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f0bb", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 5556 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 5557 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5558 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\Saved Games\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5559 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75baa9ec", "parentcaller": "0x7480f158", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Saved Games\\desktop.ini" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": " \\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5560 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b90e6c", "parentcaller": "0x7480f1a1", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Saved Games\\desktop.ini" }, { "name": "Buffer", "value": "\\xff\\xfe\r\\x00\n\\x00[\\x00.\\x00S\\x00h\\x00e\\x00l\\x00l\\x00C\\x00l\\x00a\\x00s\\x00s\\x00I\\x00n\\x00f\\x00o\\x00]\\x00\r\\x00\n\\x00L\\x00o\\x00c\\x00a\\x00l\\x00i\\x00z\\x00e\\x00d\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00N\\x00a\\x00m\\x00e\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x002\\x001\\x008\\x001\\x004\\x00\r\\x00\n\\x00I\\x00c\\x00o\\x00n\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00=\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00i\\x00m\\x00a\\x00g\\x00e\\x00r\\x00" }, { "name": "Length", "value": "282" } ], "repeated": 0, "id": 5561 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x7480f1f4", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003fc" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\Saved Games\\desktop.ini" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "\\xe9\\xb5\\x1d\\xf8v\\x07\\xdd\\x01LS\\x12\\xf0|\\x07\\xdd\\x01\\xe9\\xb5\\x1d\\xf8v\\x07\\xdd\\x01\\xe9\\xb5\\x1d\\xf8v\\x07\\xdd\\x01&\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5562 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7480f20b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5563 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x7480f215", "parentcaller": "0x7480f05c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5564 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f254", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 5565 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 5566 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5567 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c18d3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5568 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5569 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace" } ], "repeated": 0, "id": 5570 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 5571 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5572 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5573 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "DelegateFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\DelegateFolders" } ], "repeated": 0, "id": 5574 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\DelegateFolders" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\DelegateFolders" } ], "repeated": 0, "id": 5575 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5576 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "DelegateFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\DelegateFolders" } ], "repeated": 0, "id": 5577 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\DelegateFolders" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\DelegateFolders" } ], "repeated": 0, "id": 5578 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5579 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5580 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "DelegateFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\DelegateFolders" } ], "repeated": 0, "id": 5581 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\DelegateFolders" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\DelegateFolders" } ], "repeated": 0, "id": 5582 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5583 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000100", "pretty_value": "KEY_WOW64_64KEY|0x02000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "DelegateFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\DelegateFolders" } ], "repeated": 0, "id": 5584 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000100", "pretty_value": "KEY_WOW64_64KEY|0x02000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\DelegateFolders" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\DelegateFolders" } ], "repeated": 0, "id": 5585 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 5586 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747b6127", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5587 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5588 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace" } ], "repeated": 0, "id": 5589 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5590 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders" } ], "repeated": 0, "id": 5591 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 5592 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 5593 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747b6127", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5594 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5595 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders" } ], "repeated": 0, "id": 5596 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 5597 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003fc" }, { "name": "ObjectAttributesName", "value": "UsersFiles\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\UsersFiles\\NameSpace" } ], "repeated": 0, "id": 5598 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003fc" }, { "name": "ObjectAttributesName", "value": "UsersFiles\\NameSpace\\DelegateFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\UsersFiles\\NameSpace\\DelegateFolders" } ], "repeated": 0, "id": 5599 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747b8fb0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5600 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5601 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5602 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5603 }, { "timestamp": "2026-06-29 22:15:01,843", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" } ], "repeated": 0, "id": 5604 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" } ], "repeated": 0, "id": 5605 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5606 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5607 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xdc\\xee\\x8c\\xee\\x80\\xee\\xfe\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02(\\xf1\\xec\\x04\\xbc^\\xb8u\\xfe\\x03\\x00\\x00" } ], "repeated": 0, "id": 5608 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" } ], "repeated": 0, "id": 5609 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5610 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5611 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xdc\\xee\\x8c\\xee\\x80\\xee\\xfe\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02(\\xf1\\xec\\x04\\xbc^\\xb8u\\xfe\\x03\\x00\\x00" } ], "repeated": 0, "id": 5612 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" } ], "repeated": 0, "id": 5613 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5614 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5615 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xdc\\xee\\x8c\\xee\\x80\\xee\\xfe\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02(\\xf1\\xec\\x04\\xbc^\\xb8u\\xfe\\x03\\x00\\x00" } ], "repeated": 0, "id": 5616 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" } ], "repeated": 0, "id": 5617 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5618 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5619 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xdc\\xee\\x8c\\xee\\x80\\xee\\xfe\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02(\\xf1\\xec\\x04\\xbc^\\xb8u\\xfe\\x03\\x00\\x00" } ], "repeated": 0, "id": 5620 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" } ], "repeated": 0, "id": 5621 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747ba92e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fe" } ], "repeated": 0, "id": 5622 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5623 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" } ], "repeated": 0, "id": 5624 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5625 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder" } ], "repeated": 0, "id": 5626 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5627 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" } ], "repeated": 0, "id": 5628 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5629 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" } ], "repeated": 0, "id": 5630 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f78aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5631 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x747bb6a0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 5632 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c3dc4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5633 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x7486ea9e", "parentcaller": "0x74823020", "category": "filesystem", "api": "GetVolumeNameForVolumeMountPointW", "status": true, "return": "0x00000001", "arguments": [ { "name": "VolumeMountPoint", "value": "C:\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 5634 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5635 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 5636 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003fc" }, { "name": "ObjectAttributesName", "value": "{e1e1ae7a-0000-0000-0000-300300000000}\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 5637 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7482326c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5638 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748232a4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5639 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5640 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 5641 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003e8" }, { "name": "ObjectAttributesName", "value": "{e1e1ae7a-0000-0000-0000-300300000000}\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 5642 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7482326c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5643 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748232a4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5644 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x7486b902", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003fc" } ], "repeated": 0, "id": 5645 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x7486b9ca", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x08@k\\x00`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5646 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7486b91b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5647 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5648 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 5649 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003fc" }, { "name": "ObjectAttributesName", "value": "{e1e1ae7a-0000-0000-0000-300300000000}\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 5650 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7482326c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 5651 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748232a4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5652 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5653 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x76f4ffdf", "parentcaller": "0x76f50764", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75757000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5654 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5655 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5656 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75755000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5657 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x76f4f089", "parentcaller": "0x76f52308", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5658 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75755000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5659 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5660 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 5661 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5662 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\System32\\CFGMGR32.dll" } ], "repeated": 0, "id": 5663 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\cfgmgr32.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5664 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5665 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5666 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 5667 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CFGMGR32" }, { "name": "DllBase", "value": "0x75720000" } ], "repeated": 0, "id": 5668 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 5669 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ea" } ], "repeated": 0, "id": 5670 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 5671 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f0bb", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 5672 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 5673 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5674 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5675 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x7572d193", "parentcaller": "0x75731bb5", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\DeviceApi\\CMApi" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5676 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x76f3002d", "parentcaller": "0x75728278", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 5677 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x76f3002d", "parentcaller": "0x75728278", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\cfgmgr32" }, { "name": "BaseAddress", "value": "0x75720000" }, { "name": "InitRoutine", "value": "0x7572d450" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 5678 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5679 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5680 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x7572d6f5", "parentcaller": "0x7572d654", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000003c4" }, { "name": "IoControlCode", "value": "0x00470807" }, { "name": "InBuffer", "value": "$\\x00\\x00\\x00\\x00\\x00\\x01\\x00\rc\\xf5S\\xbf\\xb6\\xd0\\x11\\x94\\xf2\\x00\\xa0\\xc9\\x1e\\xfb\\x8b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x14\\x00\\x00\\x00#\\x00\\x00\\xc0\\xae\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5681 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x7572c2c6", "parentcaller": "0x7572c173", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000003c4" }, { "name": "IoControlCode", "value": "0x00470807" }, { "name": "InBuffer", "value": "$\\x00\\x00\\x00\\x00\\x00\\x01\\x00\rc\\xf5S\\xbf\\xb6\\xd0\\x11\\x94\\xf2\\x00\\xa0\\xc9\\x1e\\xfb\\x8b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xae\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x001\\x00c\\x001\\x009\\x002\\x00d\\x00d\\x00b\\x00-\\x007\\x003\\x007\\x001\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x009\\x00c\\x00d\\x004\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00" } ], "repeated": 0, "id": 5682 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x75b9fd84", "parentcaller": "0x74824380", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000404" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000408" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 5683 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5684 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "2816", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" }, { "name": "Milliseconds", "value": "1000" } ], "repeated": 0, "id": 5685 }, { "timestamp": "2026-06-29 22:15:01,859", "thread_id": "168", "caller": "0x75baa9ec", "parentcaller": "0x7480f158", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e8" }, { "name": "HandleName", "value": "C:\\Users\\desktop.ini" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5686 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b90e6c", "parentcaller": "0x7480f1a1", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e8" }, { "name": "HandleName", "value": "C:\\Users\\desktop.ini" }, { "name": "Buffer", "value": "\\xff\\xfe\r\\x00\n\\x00[\\x00.\\x00S\\x00h\\x00e\\x00l\\x00l\\x00C\\x00l\\x00a\\x00s\\x00s\\x00I\\x00n\\x00f\\x00o\\x00]\\x00\r\\x00\n\\x00L\\x00o\\x00c\\x00a\\x00l\\x00i\\x00z\\x00e\\x00d\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00N\\x00a\\x00m\\x00e\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x002\\x001\\x008\\x001\\x003\\x00\r\\x00\n\\x00" }, { "name": "Length", "value": "174" } ], "repeated": 0, "id": 5687 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "1096", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x022c3000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5688 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x7480f1f4", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e8" }, { "name": "HandleName", "value": "C:\\Users\\desktop.ini" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "-j\\xb5\\xc9\\xde\\xac\\xd5\\x01\\xc6\\xb43\\xf0|\\x07\\xdd\\x01\\xb8\\x818{\\xde\\xac\\xd5\\x01G%\\xa9s}\\x07\\xdd\\x01&\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5689 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "1096", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5690 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "1096", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 5691 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7480f20b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5692 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x7480f215", "parentcaller": "0x7480f05c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5693 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f254", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 5694 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 5695 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5696 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003e8" } ], "repeated": 0, "id": 5697 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 5698 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 5699 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5700 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "1096", "caller": "0x748807cb", "parentcaller": "0x76f694b0", "category": "filesystem", "api": "GetVolumeNameForVolumeMountPointW", "status": true, "return": "0x00000001", "arguments": [ { "name": "VolumeMountPoint", "value": "\\\\?\\STORAGE#Volume#{1c192ddb-7371-11f1-9cd4-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{e1e1ae7a-0000-0000-0000-100000000000}\\" } ], "repeated": 0, "id": 5701 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5702 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5703 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5704 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000404" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 5705 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000408" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 5706 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000404" }, { "name": "ObjectAttributesName", "value": "{e1e1ae7a-0000-0000-0000-100000000000}\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\" } ], "repeated": 0, "id": 5707 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b8696b", "parentcaller": "0x7482326c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 5708 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 5709 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040a" } ], "repeated": 0, "id": 5710 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 5711 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 5712 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x747e8126", "parentcaller": "0x74838450", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5713 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000404" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000040c" }, { "name": "ObjectAttributesName", "value": "{e1e1ae7a-0000-0000-0000-100000000000}\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\" } ], "repeated": 0, "id": 5714 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b8696b", "parentcaller": "0x7482326c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" } ], "repeated": 0, "id": 5715 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b8696b", "parentcaller": "0x748232a4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 5716 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b9fd84", "parentcaller": "0x74824380", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000404" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000040c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 5717 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5718 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" }, { "name": "Milliseconds", "value": "1000" } ], "repeated": 0, "id": 5719 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "1096", "caller": "0x748807cb", "parentcaller": "0x76f694b0", "category": "filesystem", "api": "GetVolumeNameForVolumeMountPointW", "status": true, "return": "0x00000001", "arguments": [ { "name": "VolumeMountPoint", "value": "\\\\?\\STORAGE#Volume#{1c192ddb-7371-11f1-9cd4-806e6f6e6963}#0000000003300000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 5720 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b9106a", "parentcaller": "0x748243cc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 5721 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b9106a", "parentcaller": "0x7486fd9d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" } ], "repeated": 0, "id": 5722 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5723 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 5724 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000404" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000040c" }, { "name": "ObjectAttributesName", "value": "{e1e1ae7a-0000-0000-0000-300300000000}\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 5725 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b8696b", "parentcaller": "0x7482326c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" } ], "repeated": 0, "id": 5726 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b8696b", "parentcaller": "0x748232a4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 5727 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5728 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000404" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 5729 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000404" }, { "name": "ObjectAttributesName", "value": "{e1e1ae7a-0000-0000-0000-300300000000}\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 5730 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b8696b", "parentcaller": "0x7482326c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 5731 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b8696b", "parentcaller": "0x748232a4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" } ], "repeated": 0, "id": 5732 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b9fd84", "parentcaller": "0x74824380", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000040c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000404" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 5733 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5734 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" }, { "name": "Milliseconds", "value": "1000" } ], "repeated": 0, "id": 5735 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "1096", "caller": "0x748807cb", "parentcaller": "0x76f694b0", "category": "filesystem", "api": "GetVolumeNameForVolumeMountPointW", "status": true, "return": "0x00000001", "arguments": [ { "name": "VolumeMountPoint", "value": "\\\\?\\STORAGE#Volume#{1c192ddb-7371-11f1-9cd4-806e6f6e6963}#00000008E0100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{e1e1ae7a-0000-0000-0000-10e008000000}\\" } ], "repeated": 0, "id": 5736 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b9106a", "parentcaller": "0x748243cc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" } ], "repeated": 0, "id": 5737 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b9106a", "parentcaller": "0x7486fd9d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 5738 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5739 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000404" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 5740 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000404" }, { "name": "ObjectAttributesName", "value": "{e1e1ae7a-0000-0000-0000-10e008000000}\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\" } ], "repeated": 0, "id": 5741 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b8696b", "parentcaller": "0x7482326c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 5742 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b8696b", "parentcaller": "0x748232a4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" } ], "repeated": 0, "id": 5743 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5744 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 5745 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000404" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000040c" }, { "name": "ObjectAttributesName", "value": "{e1e1ae7a-0000-0000-0000-10e008000000}\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\" } ], "repeated": 0, "id": 5746 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b8696b", "parentcaller": "0x7482326c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" } ], "repeated": 0, "id": 5747 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b8696b", "parentcaller": "0x748232a4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 5748 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "2816", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000404" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5749 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000408" }, { "name": "HandleName", "value": "C:\\Users" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 5750 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000408" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8.\\xdf\\xeev\\x07\\xdd\\x01\\xf8m>Pz\\x07\\xdd\\x01\\xf8m>Pz\\x07\\xdd\\x01\\xf8m>Pz\\x07\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfbd\\x01\\x00\\x00\\x00\\x02\\x00R\\x00a\\x00j\\x00e\\x00s\\x00h\\x00" }, { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 5751 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000408" } ], "repeated": 0, "id": 5752 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000408" } ], "repeated": 0, "id": 5753 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 5754 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000408" } ], "repeated": 0, "id": 5755 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5756 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5757 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5758 }, { "timestamp": "2026-06-29 22:15:01,875", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 5759 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000408" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 5760 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5761 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5762 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xce\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xfc\\xce\\xac\\xce\\xa0\\xce\n\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02H\\xd1\\xec\\x04\\xbc^\\xb8u\n\\x04\\x00\\x00" } ], "repeated": 0, "id": 5763 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 5764 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040a" } ], "repeated": 0, "id": 5765 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 5766 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x747e8126", "parentcaller": "0x74838450", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 3, "id": 5767 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006bb000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5768 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "2816", "caller": "0x75b8f2b0", "parentcaller": "0x75b97cd6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000404" }, { "name": "HandleName", "value": "\\Device\\MountPointManager" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InputBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5769 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5770 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "2816", "caller": "0x75b92644", "parentcaller": "0x7486b902", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000404" } ], "repeated": 0, "id": 5771 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5772 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "2816", "caller": "0x75b8fe16", "parentcaller": "0x7486b9ca", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xb8\\x93k\\x00`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5773 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "2816", "caller": "0x75b9106a", "parentcaller": "0x7486b91b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 5774 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": ".exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 5775 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000408" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 5776 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5777 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5778 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xe5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xe5\\x94\\xe5\\x88\\xe5\n\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x020\\xe8\\xec\\x04\\xbc^\\xb8u\n\\x04\\x00\\x00" } ], "repeated": 0, "id": 5779 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "2816", "caller": "0x75b8f2b0", "parentcaller": "0x75b97cd6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000404" }, { "name": "HandleName", "value": "\\Device\\MountPointManager" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InputBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x001\\x000\\x00e\\x000\\x000\\x008\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5780 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "2816", "caller": "0x75b9106a", "parentcaller": "0x75b97d3a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 5781 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "2816", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000404" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5782 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x7481708d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000408" } ], "repeated": 0, "id": 5783 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x7481715c", "parentcaller": "0x748170b0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 5784 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x748170ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000408" } ], "repeated": 0, "id": 5785 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5786 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5787 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5788 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": ".exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 5789 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000408" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 5790 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5791 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5792 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xe6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xfc\\xe6\\xac\\xe6\\xa0\\xe6\n\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02H\\xe9\\xec\\x04\\xbc^\\xb8u\n\\x04\\x00\\x00" } ], "repeated": 0, "id": 5793 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 5794 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5795 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5796 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5797 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "2816", "caller": "0x75b8f2b0", "parentcaller": "0x75b97cd6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000404" }, { "name": "HandleName", "value": "\\Device\\MountPointManager" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InputBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x001\\x000\\x00e\\x000\\x000\\x008\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5798 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 5799 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5800 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5801 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xe8\\x94\\xe8\\x88\\xe8\\xfe\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xeb\\xec\\x04\\xbc^\\xb8u\\xfe\\x03\\x00\\x00" } ], "repeated": 0, "id": 5802 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\ShellEx\\DataHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\ShellEx\\DataHandler" } ], "repeated": 0, "id": 5803 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003fe" }, { "name": "ObjectAttributesName", "value": "ShellEx\\DataHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\ShellEx\\DataHandler" } ], "repeated": 0, "id": 5804 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5805 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5806 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xe8\\x94\\xe8\\x88\\xe8\n\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xeb\\xec\\x04\\xbc^\\xb8u\n\\x04\\x00\\x00" } ], "repeated": 0, "id": 5807 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\.exe\\ShellEx\\DataHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe\\ShellEx\\DataHandler" } ], "repeated": 0, "id": 5808 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000040a" }, { "name": "ObjectAttributesName", "value": "ShellEx\\DataHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\ShellEx\\DataHandler" } ], "repeated": 0, "id": 5809 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5810 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5811 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5812 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 5813 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 5814 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5815 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5816 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xe8\\x9c\\xe8\\x90\\xe8\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x008\\xeb\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 5817 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe\\ShellEx\\DataHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\DataHandler" } ], "repeated": 0, "id": 5818 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003ea" }, { "name": "ObjectAttributesName", "value": "ShellEx\\DataHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\DataHandler" } ], "repeated": 0, "id": 5819 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5820 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5821 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xe7\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xe8\\x04\\xe8\\xf8\\xe7\\xfe\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xa0\\xea\\xec\\x04\\xbc^\\xb8u\\xfe\\x03\\x00\\x00" } ], "repeated": 0, "id": 5822 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Clsid" } ], "repeated": 0, "id": 5823 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003fe" }, { "name": "ObjectAttributesName", "value": "Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Clsid" } ], "repeated": 0, "id": 5824 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5825 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5826 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5827 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 5828 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000404" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\*" } ], "repeated": 0, "id": 5829 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5830 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5831 }, { "timestamp": "2026-06-29 22:15:01,890", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xe8\\x9c\\xe8\\x90\\xe8\\x06\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x008\\xeb\\xec\\x04\\xbc^\\xb8u\\x06\\x04\\x00\\x00" } ], "repeated": 0, "id": 5832 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\ShellEx\\DataHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\ShellEx\\DataHandler" } ], "repeated": 0, "id": 5833 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000406" }, { "name": "ObjectAttributesName", "value": "ShellEx\\DataHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\ShellEx\\DataHandler" } ], "repeated": 0, "id": 5834 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5835 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5836 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5837 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 5838 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 5839 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5840 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5841 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xe8\\x9c\\xe8\\x90\\xe8\\x0e\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x008\\xeb\\xec\\x04\\xbc^\\xb8u\\x0e\\x04\\x00\\x00" } ], "repeated": 0, "id": 5842 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\ShellEx\\DataHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\ShellEx\\DataHandler" } ], "repeated": 0, "id": 5843 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000040e" }, { "name": "ObjectAttributesName", "value": "ShellEx\\DataHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\DataHandler" } ], "repeated": 0, "id": 5844 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040a" } ], "repeated": 0, "id": 5845 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fe" } ], "repeated": 0, "id": 5846 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ea" } ], "repeated": 0, "id": 5847 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000406" } ], "repeated": 0, "id": 5848 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040e" } ], "repeated": 0, "id": 5849 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5850 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5851 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5852 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5853 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5854 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5855 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x7481708d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000040c" } ], "repeated": 0, "id": 5856 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x7481715c", "parentcaller": "0x748170b0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 5857 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x748170ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" } ], "repeated": 0, "id": 5858 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5859 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5860 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5861 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": ".exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 5862 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 5863 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5864 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5865 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf3L\\xf3@\\xf3\\x0e\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf5\\xec\\x04\\xbc^\\xb8u\\x0e\\x04\\x00\\x00" } ], "repeated": 0, "id": 5866 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 5867 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5868 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5869 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5870 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 5871 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000404" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 5872 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5873 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5874 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x1c\\xf4\\xcc\\xf3\\xc0\\xf3\\x06\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00h\\xf6\\xec\\x04\\xbc^\\xb8u\\x06\\x04\\x00\\x00" } ], "repeated": 0, "id": 5875 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\CurVer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\CurVer" } ], "repeated": 0, "id": 5876 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000406" }, { "name": "ObjectAttributesName", "value": "CurVer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\CurVer" } ], "repeated": 0, "id": 5877 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5878 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5879 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xf4\\\\xf4P\\xf4\\x06\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xf8\\xf6\\xec\\x04\\xbc^\\xb8u\\x06\\x04\\x00\\x00" } ], "repeated": 0, "id": 5880 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 5881 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000406" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\" } ], "repeated": 0, "id": 5882 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748175e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000406" } ], "repeated": 0, "id": 5883 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5884 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5885 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf6\\xc4\\xf5\\xb8\\xf5\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf8\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 5886 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 5887 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5888 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5889 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf7\\x1c\\xf7\\x10\\xf7\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xb8\\xf9\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 5890 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 5891 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000404" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ea" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\" } ], "repeated": 0, "id": 5892 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5893 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5894 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5895 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 5896 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 5897 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5898 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5899 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf7\\x1c\\xf7\\x10\\xf7\\xfe\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xb8\\xf9\\xec\\x04\\xbc^\\xb8u\\xfe\\x03\\x00\\x00" } ], "repeated": 0, "id": 5900 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 5901 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000408" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003fe" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\" } ], "repeated": 0, "id": 5902 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5903 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5904 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5905 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "Kind.program" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program" } ], "repeated": 0, "id": 5906 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000410" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Kind.program" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Kind.program" } ], "repeated": 0, "id": 5907 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Kind.program" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5908 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5909 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf7\\x1c\\xf7\\x10\\xf7\\x12\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xb8\\xf9\\xec\\x04\\xbc^\\xb8u\\x12\\x04\\x00\\x00" } ], "repeated": 0, "id": 5910 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Kind.program" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program" } ], "repeated": 0, "id": 5911 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000414" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000412" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Kind.program\\" } ], "repeated": 0, "id": 5912 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5913 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5914 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xf4\\xa4\\xf4\\x98\\xf4\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00@\\xf7\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 5915 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Clsid" } ], "repeated": 0, "id": 5916 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003ea" }, { "name": "ObjectAttributesName", "value": "Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Clsid" } ], "repeated": 0, "id": 5917 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5918 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5919 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5920 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 5921 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000418" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\*" } ], "repeated": 0, "id": 5922 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5923 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5924 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf7\\x1c\\xf7\\x10\\xf7\\x1a\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xb8\\xf9\\xec\\x04\\xbc^\\xb8u\\x1a\\x04\\x00\\x00" } ], "repeated": 0, "id": 5925 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 5926 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000041a" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\" } ], "repeated": 0, "id": 5927 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5928 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5929 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5930 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 5931 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000420" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 5932 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000422" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5933 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000422" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5934 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf7\\x1c\\xf7\\x10\\xf7\"\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xb8\\xf9\\xec\\x04\\xbc^\\xb8u\"\\x04\\x00\\x00" } ], "repeated": 0, "id": 5935 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 5936 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000424" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000422" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\" } ], "repeated": 0, "id": 5937 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76872000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5938 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76872000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5939 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5940 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5941 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5942 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5943 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5\\x06\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u\\x06\\x04\\x00\\x00" } ], "repeated": 0, "id": 5944 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 5945 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000428" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000406" }, { "name": "ObjectAttributesName", "value": "shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 5946 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76872000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5947 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76872000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5948 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "Compatibility" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" } ], "repeated": 0, "id": 5949 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5950 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5951 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 5952 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" } ], "repeated": 0, "id": 5953 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "Compatibility" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" } ], "repeated": 0, "id": 5954 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5955 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5956 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5957 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5958 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf5.\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u.\\x04\\x00\\x00" } ], "repeated": 0, "id": 5959 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" } ], "repeated": 0, "id": 5960 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5961 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5962 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf5.\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u.\\x04\\x00\\x00" } ], "repeated": 0, "id": 5963 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" } ], "repeated": 0, "id": 5964 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5965 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5966 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5967 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}" } ], "repeated": 0, "id": 5968 }, { "timestamp": "2026-06-29 22:15:01,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000430" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}" } ], "repeated": 0, "id": 5969 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5970 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5971 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xf2\\\\xf2P\\xf22\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf8\\xf4\\xec\\x04\\xbc^\\xb8u2\\x04\\x00\\x00" } ], "repeated": 0, "id": 5972 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}" } ], "repeated": 0, "id": 5973 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000432" } ], "repeated": 0, "id": 5974 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" } ], "repeated": 0, "id": 5975 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "PintoStartScreen" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" } ], "repeated": 0, "id": 5976 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5977 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5978 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 5979 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" } ], "repeated": 0, "id": 5980 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "PintoStartScreen" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" } ], "repeated": 0, "id": 5981 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5982 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5983 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf5.\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u.\\x04\\x00\\x00" } ], "repeated": 0, "id": 5984 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" } ], "repeated": 0, "id": 5985 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5986 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5987 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf5.\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u.\\x04\\x00\\x00" } ], "repeated": 0, "id": 5988 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" } ], "repeated": 0, "id": 5989 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5990 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5991 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5992 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}" } ], "repeated": 0, "id": 5993 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000430" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}" } ], "repeated": 0, "id": 5994 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 5995 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5996 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xf2\\\\xf2P\\xf22\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf8\\xf4\\xec\\x04\\xbc^\\xb8u2\\x04\\x00\\x00" } ], "repeated": 0, "id": 5997 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}" } ], "repeated": 0, "id": 5998 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000432" } ], "repeated": 0, "id": 5999 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" } ], "repeated": 0, "id": 6000 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\" } ], "repeated": 0, "id": 6001 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76478602", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" } ], "repeated": 0, "id": 6002 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6003 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6004 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5\n\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u\n\\x04\\x00\\x00" } ], "repeated": 0, "id": 6005 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe\\shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6006 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000040a" }, { "name": "ObjectAttributesName", "value": "shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6007 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000416" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Kind.program" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6008 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000416" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6009 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5\\x16\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u\\x16\\x04\\x00\\x00" } ], "repeated": 0, "id": 6010 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Kind.program\\shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6011 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000416" }, { "name": "ObjectAttributesName", "value": "shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Kind.program\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6012 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6013 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6014 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5\\x1e\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u\\x1e\\x04\\x00\\x00" } ], "repeated": 0, "id": 6015 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6016 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000428" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000041e" }, { "name": "ObjectAttributesName", "value": "shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6017 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "7-Zip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" } ], "repeated": 0, "id": 6018 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6019 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6020 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6021 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" } ], "repeated": 0, "id": 6022 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "7-Zip" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" } ], "repeated": 0, "id": 6023 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6024 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6025 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf5.\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u.\\x04\\x00\\x00" } ], "repeated": 0, "id": 6026 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" } ], "repeated": 0, "id": 6027 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6028 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6029 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf5.\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u.\\x04\\x00\\x00" } ], "repeated": 0, "id": 6030 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" } ], "repeated": 0, "id": 6031 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6032 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6033 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6034 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{23170F69-40C1-278A-1000-000100020000}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}" } ], "repeated": 0, "id": 6035 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000430" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}" } ], "repeated": 0, "id": 6036 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{23170F69-40C1-278A-1000-000100020000}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6037 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6038 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xf2\\\\xf2P\\xf22\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf8\\xf4\\xec\\x04\\xbc^\\xb8u2\\x04\\x00\\x00" } ], "repeated": 0, "id": 6039 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{23170F69-40C1-278A-1000-000100020000}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{23170F69-40C1-278A-1000-000100020000}" } ], "repeated": 0, "id": 6040 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000432" } ], "repeated": 0, "id": 6041 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" } ], "repeated": 0, "id": 6042 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "ModernSharing" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" } ], "repeated": 0, "id": 6043 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6044 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6045 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6046 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" } ], "repeated": 0, "id": 6047 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "ModernSharing" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" } ], "repeated": 0, "id": 6048 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6049 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6050 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf5.\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u.\\x04\\x00\\x00" } ], "repeated": 0, "id": 6051 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" } ], "repeated": 0, "id": 6052 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6053 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6054 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf5.\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u.\\x04\\x00\\x00" } ], "repeated": 0, "id": 6055 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" } ], "repeated": 0, "id": 6056 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6057 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6058 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6059 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}" } ], "repeated": 0, "id": 6060 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000430" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}" } ], "repeated": 0, "id": 6061 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6062 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6063 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xf2\\\\xf2P\\xf22\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf8\\xf4\\xec\\x04\\xbc^\\xb8u2\\x04\\x00\\x00" } ], "repeated": 0, "id": 6064 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}" } ], "repeated": 0, "id": 6065 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000432" } ], "repeated": 0, "id": 6066 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" } ], "repeated": 0, "id": 6067 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "Open With" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With" } ], "repeated": 0, "id": 6068 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6069 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6070 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6071 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Open With" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With" } ], "repeated": 0, "id": 6072 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "Open With" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With" } ], "repeated": 0, "id": 6073 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6074 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6075 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf5.\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u.\\x04\\x00\\x00" } ], "repeated": 0, "id": 6076 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Open With" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With" } ], "repeated": 0, "id": 6077 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6078 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6079 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf5.\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u.\\x04\\x00\\x00" } ], "repeated": 0, "id": 6080 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Open With" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With" } ], "repeated": 0, "id": 6081 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6082 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6083 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6084 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}" } ], "repeated": 0, "id": 6085 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000430" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}" } ], "repeated": 0, "id": 6086 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6087 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6088 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xf2\\\\xf2P\\xf22\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf8\\xf4\\xec\\x04\\xbc^\\xb8u2\\x04\\x00\\x00" } ], "repeated": 0, "id": 6089 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}" } ], "repeated": 0, "id": 6090 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000432" } ], "repeated": 0, "id": 6091 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" } ], "repeated": 0, "id": 6092 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "3" }, { "name": "Name", "value": "Open With EncryptionMenu" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" } ], "repeated": 0, "id": 6093 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6094 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6095 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6096 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" } ], "repeated": 0, "id": 6097 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "Open With EncryptionMenu" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" } ], "repeated": 0, "id": 6098 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6099 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6100 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf5.\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u.\\x04\\x00\\x00" } ], "repeated": 0, "id": 6101 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" } ], "repeated": 0, "id": 6102 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6103 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6104 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf5.\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u.\\x04\\x00\\x00" } ], "repeated": 0, "id": 6105 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" } ], "repeated": 0, "id": 6106 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6107 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6108 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6109 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}" } ], "repeated": 0, "id": 6110 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000430" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}" } ], "repeated": 0, "id": 6111 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6112 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6113 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xf2\\\\xf2P\\xf22\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf8\\xf4\\xec\\x04\\xbc^\\xb8u2\\x04\\x00\\x00" } ], "repeated": 0, "id": 6114 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}" } ], "repeated": 0, "id": 6115 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000432" } ], "repeated": 0, "id": 6116 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" } ], "repeated": 0, "id": 6117 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "4" }, { "name": "Name", "value": "Sharing" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" } ], "repeated": 0, "id": 6118 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6119 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6120 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6121 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" } ], "repeated": 0, "id": 6122 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "Sharing" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" } ], "repeated": 0, "id": 6123 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6124 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6125 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6126 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" } ], "repeated": 0, "id": 6127 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6128 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6129 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6130 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" } ], "repeated": 0, "id": 6131 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6132 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6133 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6134 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" } ], "repeated": 0, "id": 6135 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" } ], "repeated": 0, "id": 6136 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6137 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6138 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xf2\\\\xf2P\\xf2:\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf8\\xf4\\xec\\x04\\xbc^\\xb8u:\\x04\\x00\\x00" } ], "repeated": 0, "id": 6139 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" } ], "repeated": 0, "id": 6140 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000043a" } ], "repeated": 0, "id": 6141 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6142 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "5" }, { "name": "Name", "value": "WorkFolders" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" } ], "repeated": 0, "id": 6143 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6144 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6145 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6146 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" } ], "repeated": 0, "id": 6147 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "WorkFolders" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" } ], "repeated": 0, "id": 6148 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6149 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6150 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6151 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" } ], "repeated": 0, "id": 6152 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6153 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6154 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6155 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" } ], "repeated": 0, "id": 6156 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6157 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6158 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6159 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}" } ], "repeated": 0, "id": 6160 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}" } ], "repeated": 0, "id": 6161 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6162 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "6" }, { "name": "Name", "value": "{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" } ], "repeated": 0, "id": 6163 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6164 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6165 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6166 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" } ], "repeated": 0, "id": 6167 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" } ], "repeated": 0, "id": 6168 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6169 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6170 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6171 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" } ], "repeated": 0, "id": 6172 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6173 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6174 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6175 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" } ], "repeated": 0, "id": 6176 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" } ], "repeated": 0, "id": 6177 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6178 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6179 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xf2\\\\xf2P\\xf2:\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf8\\xf4\\xec\\x04\\xbc^\\xb8u:\\x04\\x00\\x00" } ], "repeated": 0, "id": 6180 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" } ], "repeated": 0, "id": 6181 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000043a" } ], "repeated": 0, "id": 6182 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6183 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "7" }, { "name": "Name", "value": "{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6184 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6185 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6186 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6187 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6188 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6189 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6190 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6191 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6192 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6193 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6194 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6195 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6196 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6197 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6198 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6199 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6200 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xf2\\\\xf2P\\xf2:\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf8\\xf4\\xec\\x04\\xbc^\\xb8u:\\x04\\x00\\x00" } ], "repeated": 0, "id": 6201 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6202 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000043a" } ], "repeated": 0, "id": 6203 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6204 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "8" }, { "name": "Name", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\" } ], "repeated": 0, "id": 6205 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76478602", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" } ], "repeated": 0, "id": 6206 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000426" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6207 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000426" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6208 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5&\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u&\\x04\\x00\\x00" } ], "repeated": 0, "id": 6209 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6210 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000428" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000426" }, { "name": "ObjectAttributesName", "value": "shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6211 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "CopyAsPathMenu" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" } ], "repeated": 0, "id": 6212 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6213 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6214 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6215 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" } ], "repeated": 0, "id": 6216 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "CopyAsPathMenu" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" } ], "repeated": 0, "id": 6217 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6218 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6219 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6220 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" } ], "repeated": 0, "id": 6221 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6222 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6223 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6224 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" } ], "repeated": 0, "id": 6225 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6226 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6227 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6228 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}" } ], "repeated": 0, "id": 6229 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}" } ], "repeated": 0, "id": 6230 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6231 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6232 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xf2\\\\xf2P\\xf2:\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf8\\xf4\\xec\\x04\\xbc^\\xb8u:\\x04\\x00\\x00" } ], "repeated": 0, "id": 6233 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}" } ], "repeated": 0, "id": 6234 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000043a" } ], "repeated": 0, "id": 6235 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6236 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "SendTo" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" } ], "repeated": 0, "id": 6237 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6238 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6239 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6240 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" } ], "repeated": 0, "id": 6241 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "SendTo" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" } ], "repeated": 0, "id": 6242 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6243 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6244 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6245 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" } ], "repeated": 0, "id": 6246 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6247 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6248 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6249 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" } ], "repeated": 0, "id": 6250 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6251 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6252 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6253 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" } ], "repeated": 0, "id": 6254 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" } ], "repeated": 0, "id": 6255 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6256 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6257 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xf2\\\\xf2P\\xf2:\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf8\\xf4\\xec\\x04\\xbc^\\xb8u:\\x04\\x00\\x00" } ], "repeated": 0, "id": 6258 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" } ], "repeated": 0, "id": 6259 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000043a" } ], "repeated": 0, "id": 6260 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6261 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" } ], "repeated": 0, "id": 6262 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6263 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6264 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6265 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" } ], "repeated": 0, "id": 6266 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" } ], "repeated": 0, "id": 6267 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6268 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6269 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6270 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" } ], "repeated": 0, "id": 6271 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6272 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6273 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6274 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" } ], "repeated": 0, "id": 6275 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" } ], "repeated": 0, "id": 6276 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6277 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "3" }, { "name": "Name", "value": "{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6278 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6279 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6280 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6281 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6282 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6283 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6284 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6285 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6286 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6287 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6288 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6289 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6290 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6291 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6292 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6293 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6294 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xf2\\\\xf2P\\xf2:\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf8\\xf4\\xec\\x04\\xbc^\\xb8u:\\x04\\x00\\x00" } ], "repeated": 0, "id": 6295 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6296 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000043a" } ], "repeated": 0, "id": 6297 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6298 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "4" }, { "name": "Name", "value": "{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6299 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6300 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6301 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6302 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6303 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6304 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6305 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6306 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6307 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6308 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6309 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6310 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6311 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6312 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6313 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6314 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6315 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xf2\\\\xf2P\\xf2:\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf8\\xf4\\xec\\x04\\xbc^\\xb8u:\\x04\\x00\\x00" } ], "repeated": 0, "id": 6316 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6317 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000043a" } ], "repeated": 0, "id": 6318 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6319 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x764fd038", "category": "registry", "api": "RegEnumKeyW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "5" }, { "name": "Name", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\" } ], "repeated": 0, "id": 6320 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76478602", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" } ], "repeated": 0, "id": 6321 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6322 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6323 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5\\x06\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u\\x06\\x04\\x00\\x00" } ], "repeated": 0, "id": 6324 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6325 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000428" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000406" }, { "name": "ObjectAttributesName", "value": "shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6326 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "Compatibility" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" } ], "repeated": 0, "id": 6327 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6328 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6329 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6330 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" } ], "repeated": 0, "id": 6331 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "Compatibility" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" } ], "repeated": 0, "id": 6332 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6333 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6334 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6335 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" } ], "repeated": 0, "id": 6336 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6337 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6338 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6339 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility" } ], "repeated": 0, "id": 6340 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6341 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "PintoStartScreen" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" } ], "repeated": 0, "id": 6342 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6343 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6344 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6345 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" } ], "repeated": 0, "id": 6346 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "PintoStartScreen" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" } ], "repeated": 0, "id": 6347 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6348 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6349 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6350 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" } ], "repeated": 0, "id": 6351 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6352 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6353 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6354 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen" } ], "repeated": 0, "id": 6355 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6356 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\" } ], "repeated": 0, "id": 6357 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76478602", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" } ], "repeated": 0, "id": 6358 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6359 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6360 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5\n\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u\n\\x04\\x00\\x00" } ], "repeated": 0, "id": 6361 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe\\shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6362 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000040a" }, { "name": "ObjectAttributesName", "value": "shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6363 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000416" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Kind.program" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6364 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000416" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6365 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5\\x16\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u\\x16\\x04\\x00\\x00" } ], "repeated": 0, "id": 6366 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Kind.program\\shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6367 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000416" }, { "name": "ObjectAttributesName", "value": "shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Kind.program\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6368 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6369 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6370 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5\\x1e\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u\\x1e\\x04\\x00\\x00" } ], "repeated": 0, "id": 6371 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6372 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000428" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000041e" }, { "name": "ObjectAttributesName", "value": "shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6373 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "7-Zip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" } ], "repeated": 0, "id": 6374 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6375 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6376 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6377 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" } ], "repeated": 0, "id": 6378 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "7-Zip" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" } ], "repeated": 0, "id": 6379 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6380 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6381 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6382 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" } ], "repeated": 0, "id": 6383 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6384 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6385 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6386 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip" } ], "repeated": 0, "id": 6387 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6388 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "ModernSharing" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" } ], "repeated": 0, "id": 6389 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6390 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6391 }, { "timestamp": "2026-06-29 22:15:01,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6392 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" } ], "repeated": 0, "id": 6393 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "ModernSharing" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" } ], "repeated": 0, "id": 6394 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6395 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6396 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6397 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" } ], "repeated": 0, "id": 6398 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6399 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6400 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6401 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing" } ], "repeated": 0, "id": 6402 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6403 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "Open With" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With" } ], "repeated": 0, "id": 6404 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6405 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6406 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6407 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Open With" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With" } ], "repeated": 0, "id": 6408 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "Open With" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With" } ], "repeated": 0, "id": 6409 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6410 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6411 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6412 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Open With" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With" } ], "repeated": 0, "id": 6413 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6414 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6415 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6416 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Open With" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With" } ], "repeated": 0, "id": 6417 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6418 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "3" }, { "name": "Name", "value": "Open With EncryptionMenu" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" } ], "repeated": 0, "id": 6419 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6420 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6421 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6422 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" } ], "repeated": 0, "id": 6423 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "Open With EncryptionMenu" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" } ], "repeated": 0, "id": 6424 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6425 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6426 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6427 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" } ], "repeated": 0, "id": 6428 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6429 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6430 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6431 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu" } ], "repeated": 0, "id": 6432 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6433 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "4" }, { "name": "Name", "value": "Sharing" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" } ], "repeated": 0, "id": 6434 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6435 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6436 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6437 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" } ], "repeated": 0, "id": 6438 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "Sharing" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" } ], "repeated": 0, "id": 6439 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6440 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6441 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6442 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" } ], "repeated": 0, "id": 6443 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6444 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6445 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6446 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing" } ], "repeated": 0, "id": 6447 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6448 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "5" }, { "name": "Name", "value": "WorkFolders" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" } ], "repeated": 0, "id": 6449 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6450 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6451 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6452 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" } ], "repeated": 0, "id": 6453 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "WorkFolders" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" } ], "repeated": 0, "id": 6454 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6455 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6456 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6457 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" } ], "repeated": 0, "id": 6458 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6459 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6460 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6461 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders" } ], "repeated": 0, "id": 6462 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6463 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "6" }, { "name": "Name", "value": "{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" } ], "repeated": 0, "id": 6464 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6465 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6466 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6467 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" } ], "repeated": 0, "id": 6468 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" } ], "repeated": 0, "id": 6469 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6470 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6471 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6472 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" } ], "repeated": 0, "id": 6473 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6474 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "7" }, { "name": "Name", "value": "{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6475 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6476 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6477 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6478 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6479 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6480 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6481 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6482 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6483 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6484 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6485 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "8" }, { "name": "Name", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\" } ], "repeated": 0, "id": 6486 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76478602", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" } ], "repeated": 0, "id": 6487 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000426" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6488 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000426" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6489 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5&\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u&\\x04\\x00\\x00" } ], "repeated": 0, "id": 6490 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6491 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000428" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000426" }, { "name": "ObjectAttributesName", "value": "shellex\\ContextMenuHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" } ], "repeated": 0, "id": 6492 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "CopyAsPathMenu" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" } ], "repeated": 0, "id": 6493 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6494 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6495 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6496 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" } ], "repeated": 0, "id": 6497 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "CopyAsPathMenu" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" } ], "repeated": 0, "id": 6498 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6499 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6500 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6501 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" } ], "repeated": 0, "id": 6502 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6503 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6504 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6505 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu" } ], "repeated": 0, "id": 6506 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6507 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "SendTo" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" } ], "repeated": 0, "id": 6508 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6509 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6510 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6511 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" } ], "repeated": 0, "id": 6512 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "SendTo" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" } ], "repeated": 0, "id": 6513 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6514 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6515 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6516 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" } ], "repeated": 0, "id": 6517 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6518 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6519 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf5l\\xf5`\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf8\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6520 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo" } ], "repeated": 0, "id": 6521 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6522 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" } ], "repeated": 0, "id": 6523 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6524 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6525 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6526 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" } ], "repeated": 0, "id": 6527 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" } ], "repeated": 0, "id": 6528 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6529 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6530 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6531 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" } ], "repeated": 0, "id": 6532 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6533 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "3" }, { "name": "Name", "value": "{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6534 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6535 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6536 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6537 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6538 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6539 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6540 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6541 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6542 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6543 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6544 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "4" }, { "name": "Name", "value": "{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6545 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6546 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6547 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf6\\xec\\xf5\\xe0\\xf5*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x88\\xf8\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6548 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6549 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6550 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6551 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000436" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6552 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf5L\\xf5@\\xf56\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf7\\xec\\x04\\xbc^\\xb8u6\\x04\\x00\\x00" } ], "repeated": 0, "id": 6553 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 6554 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764784b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 6555 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x764784cb", "parentcaller": "0x76424ed5", "category": "registry", "api": "RegEnumKeyW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "Index", "value": "5" }, { "name": "Name", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\" } ], "repeated": 0, "id": 6556 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76478602", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" } ], "repeated": 0, "id": 6557 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6558 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6559 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6560 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 6561 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 6562 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6563 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6564 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6565 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\Instance" } ], "repeated": 0, "id": 6566 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\Instance" } ], "repeated": 0, "id": 6567 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7643d37a", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000428" } ], "repeated": 0, "id": 6568 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 6569 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7643d37a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000428" } ], "repeated": 0, "id": 6570 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6571 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6572 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6573 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\InProcServer32" } ], "repeated": 0, "id": 6574 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000428" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\InProcServer32" } ], "repeated": 0, "id": 6575 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6576 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6577 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xf0t\\xf0h\\xf0*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xf3\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6578 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\InProcServer32" } ], "repeated": 0, "id": 6579 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6580 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6581 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xf0t\\xf0h\\xf0*\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xf3\\xec\\x04\\xbc^\\xb8u*\\x04\\x00\\x00" } ], "repeated": 0, "id": 6582 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\InProcServer32" } ], "repeated": 0, "id": 6583 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" } ], "repeated": 0, "id": 6584 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6585 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 6586 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6587 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 6588 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6589 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6590 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x7464071b", "parentcaller": "0x7464063c", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000428" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{596ab062-b4d2-4215-9f74-e9109b0a8153}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{596ab062-b4d2-4215-9f74-e9109b0a8153}\\InProcServer32" } ], "repeated": 0, "id": 6591 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x746407b1", "parentcaller": "0x7464063c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000428" } ], "repeated": 0, "id": 6592 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x746405c7", "parentcaller": "0x7643d12c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "twext.dll" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 6593 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6594 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000428" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" } ], "repeated": 0, "id": 6595 }, { "timestamp": "2026-06-29 22:15:01,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000428" } ], "repeated": 0, "id": 6596 }, { "timestamp": "2026-06-29 22:15:01,968", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\twext" }, { "name": "DllBase", "value": "0x740a0000" } ], "repeated": 0, "id": 6597 }, { "timestamp": "2026-06-29 22:15:02,000", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "__notification__", "api": "sysenter", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadIdentifier", "value": "168" }, { "name": "Module", "value": "KERNEL32.DLL" }, { "name": "Return Address", "value": "0x751524ac" } ], "repeated": 0, "id": 6598 }, { "timestamp": "2026-06-29 22:15:02,015", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\\comctl32" }, { "name": "DllBase", "value": "0x73e90000" } ], "repeated": 0, "id": 6599 }, { "timestamp": "2026-06-29 22:15:02,031", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "__notification__", "api": "sysenter", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadIdentifier", "value": "168" }, { "name": "Module", "value": "KERNEL32.DLL" }, { "name": "Return Address", "value": "0x751524ac" } ], "repeated": 0, "id": 6600 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "596AB062-B4D2-4215-9F74-E9109B0A8153" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "000214E4-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 6601 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6602 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6603 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6604 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6605 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 6606 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006bc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6607 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6608 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 6609 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 6610 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748129da", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000438" } ], "repeated": 0, "id": 6611 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006bd000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6612 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x7481708d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000438" } ], "repeated": 0, "id": 6613 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x7481715c", "parentcaller": "0x748170b0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 6614 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x748170ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000438" } ], "repeated": 0, "id": 6615 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6616 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6617 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6618 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": ".exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 6619 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 6620 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6621 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6622 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00D\\xf1\\xf4\\xf0\\xe8\\xf0:\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x90\\xf3\\xec\\x04\\xbc^\\xb8u:\\x04\\x00\\x00" } ], "repeated": 0, "id": 6623 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 6624 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6625 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6626 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6627 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 6628 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000430" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 6629 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6630 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6631 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xf1t\\xf1h\\xf12\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\xf4\\xec\\x04\\xbc^\\xb8u2\\x04\\x00\\x00" } ], "repeated": 0, "id": 6632 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\CurVer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\CurVer" } ], "repeated": 0, "id": 6633 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000432" }, { "name": "ObjectAttributesName", "value": "CurVer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\CurVer" } ], "repeated": 0, "id": 6634 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6635 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6636 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf2\\x04\\xf2\\xf8\\xf12\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xa0\\xf4\\xec\\x04\\xbc^\\xb8u2\\x04\\x00\\x00" } ], "repeated": 0, "id": 6637 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 6638 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000440" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000432" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\" } ], "repeated": 0, "id": 6639 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748175e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000432" } ], "repeated": 0, "id": 6640 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6641 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6642 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf3l\\xf3`\\xf3B\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xf6\\xec\\x04\\xbc^\\xb8uB\\x04\\x00\\x00" } ], "repeated": 0, "id": 6643 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 6644 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6645 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6646 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf4\\x1c\\xf4\\x10\\xf4B\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf6\\xec\\x04\\xbc^\\xb8uB\\x04\\x00\\x00" } ], "repeated": 0, "id": 6647 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 6648 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6649 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6650 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6651 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 6652 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000430" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 6653 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6654 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6655 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf4\\x1c\\xf4\\x10\\xf42\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf6\\xec\\x04\\xbc^\\xb8u2\\x04\\x00\\x00" } ], "repeated": 0, "id": 6656 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 6657 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6658 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6659 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6660 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "Kind.program" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program" } ], "repeated": 0, "id": 6661 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000444" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Kind.program" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Kind.program" } ], "repeated": 0, "id": 6662 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Kind.program" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6663 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6664 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf4\\x1c\\xf4\\x10\\xf4F\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf6\\xec\\x04\\xbc^\\xb8uF\\x04\\x00\\x00" } ], "repeated": 0, "id": 6665 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Kind.program" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program" } ], "repeated": 0, "id": 6666 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6667 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6668 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf2L\\xf2@\\xf2B\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe8\\xf4\\xec\\x04\\xbc^\\xb8uB\\x04\\x00\\x00" } ], "repeated": 0, "id": 6669 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Clsid" } ], "repeated": 0, "id": 6670 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000442" }, { "name": "ObjectAttributesName", "value": "Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Clsid" } ], "repeated": 0, "id": 6671 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6672 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6673 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6674 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 6675 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000448" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\*" } ], "repeated": 0, "id": 6676 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6677 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6678 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf4\\x1c\\xf4\\x10\\xf4J\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf6\\xec\\x04\\xbc^\\xb8uJ\\x04\\x00\\x00" } ], "repeated": 0, "id": 6679 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 6680 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6681 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6682 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6683 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 6684 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 6685 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6686 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6687 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf4\\x1c\\xf4\\x10\\xf4N\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf6\\xec\\x04\\xbc^\\xb8uN\\x04\\x00\\x00" } ], "repeated": 0, "id": 6688 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 6689 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000043a" } ], "repeated": 0, "id": 6690 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000442" } ], "repeated": 0, "id": 6691 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000432" } ], "repeated": 0, "id": 6692 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" } ], "repeated": 0, "id": 6693 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044a" } ], "repeated": 0, "id": 6694 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044e" } ], "repeated": 0, "id": 6695 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6696 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6697 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000426" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6698 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000426" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6699 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5&\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u&\\x04\\x00\\x00" } ], "repeated": 0, "id": 6700 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 6701 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6702 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6703 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6704 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6705 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6706 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6707 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6708 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf4N\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8uN\\x04\\x00\\x00" } ], "repeated": 0, "id": 6709 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}" } ], "repeated": 0, "id": 6710 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044e" } ], "repeated": 0, "id": 6711 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6712 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6713 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6714 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\PreviousVersions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\PreviousVersions" } ], "repeated": 0, "id": 6715 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6716 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\PreviousVersions" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\PreviousVersions" } ], "repeated": 0, "id": 6717 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6718 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" } ], "repeated": 0, "id": 6719 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044c" } ], "repeated": 0, "id": 6720 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6721 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" } ], "repeated": 0, "id": 6722 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044c" } ], "repeated": 0, "id": 6723 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f51f50", "parentcaller": "0x76f38d78", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6724 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f392db", "parentcaller": "0x76f39742", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000044c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\twext.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6725 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f3978c", "parentcaller": "0x76f3926e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000448" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000044c" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\en-US\\twext.dll.mui" } ], "repeated": 0, "id": 6726 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f397b4", "parentcaller": "0x76f3926e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000448" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05040000" }, { "name": "SectionOffset", "value": "0x04ecea60" }, { "name": "ViewSize", "value": "0x00002000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6727 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x76f397c4", "parentcaller": "0x76f3926e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000448" } ], "repeated": 0, "id": 6728 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b83595", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6729 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b86683", "parentcaller": "0x75b83600", "category": "registry", "api": "NtCreateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000448" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "Class", "value": "" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 6730 }, { "timestamp": "2026-06-29 22:15:02,047", "thread_id": "168", "caller": "0x75b86ba5", "parentcaller": "0x75b8341e", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000448" }, { "name": "ValueName", "value": "SlowContextMenuEntries" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Buffer", "value": "`$\\xb2!\\xea:i\\x10\\xa2\\xdc\\x08\\x00+00\\x9d\\x87\\x01\\x00\\x00\\xbd\\x0e\\x0cGs]XM\\x9c\\xed\\xe9\\x1e\"\\xe22\\x822\\x02\\x00\\x00\\x01\\x14\\x02\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00FR\\x02\\x00\\x00v\\x96\\xbf\\xe2\\x8f_\\C\\x97\\xeb\\x11`z[\\xed\\xf7\\xdb\\x00\\x00\\x00b\\xb0jY\\xd2\\xb4\\x15B\\x9ft\\xe9\\x10\\x9b\n\\x81Sn\\x00\\x00\\x00" }, { "name": "BufferLength", "value": "100" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SlowContextMenuEntries" } ], "repeated": 0, "id": 6731 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764a16ea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000448" } ], "repeated": 0, "id": 6732 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6733 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6734 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6735 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 6736 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 6737 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6738 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6739 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6740 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\Instance" } ], "repeated": 0, "id": 6741 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\Instance" } ], "repeated": 0, "id": 6742 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7643d37a", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000448" } ], "repeated": 0, "id": 6743 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 6744 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7643d37a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000448" } ], "repeated": 0, "id": 6745 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6746 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6747 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6748 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\InProcServer32" } ], "repeated": 0, "id": 6749 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\InProcServer32" } ], "repeated": 0, "id": 6750 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6751 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6752 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6753 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 6754 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 6755 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7652844f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000448" } ], "repeated": 0, "id": 6756 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 6757 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7652844f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000448" } ], "repeated": 0, "id": 6758 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6759 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6760 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6761 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\InProcServer32" } ], "repeated": 0, "id": 6762 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000448" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\InProcServer32" } ], "repeated": 0, "id": 6763 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6764 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6765 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xee$\\xee\\x18\\xeeJ\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf0\\xec\\x04\\xbc^\\xb8uJ\\x04\\x00\\x00" } ], "repeated": 0, "id": 6766 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\InProcServer32" } ], "repeated": 0, "id": 6767 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044a" } ], "repeated": 0, "id": 6768 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 6769 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x7481708d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000448" } ], "repeated": 0, "id": 6770 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x7481715c", "parentcaller": "0x748170b0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 6771 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x748170ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000448" } ], "repeated": 0, "id": 6772 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6773 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6774 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6775 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": ".exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 6776 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000448" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 6777 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6778 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6779 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xdb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xdc\\xbc\\xdb\\xb0\\xdbJ\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xde\\xec\\x04\\xbc^\\xb8uJ\\x04\\x00\\x00" } ], "repeated": 0, "id": 6780 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 6781 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6782 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6783 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6784 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 6785 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000444" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 6786 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6787 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6788 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xdc\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xdc<\\xdc0\\xdcF\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd8\\xde\\xec\\x04\\xbc^\\xb8uF\\x04\\x00\\x00" } ], "repeated": 0, "id": 6789 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\CurVer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\CurVer" } ], "repeated": 0, "id": 6790 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000446" }, { "name": "ObjectAttributesName", "value": "CurVer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\CurVer" } ], "repeated": 0, "id": 6791 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6792 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6793 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xdc\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x1c\\xdd\\xcc\\xdc\\xc0\\xdcF\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00h\\xdf\\xec\\x04\\xbc^\\xb8uF\\x04\\x00\\x00" } ], "repeated": 0, "id": 6794 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 6795 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000430" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000446" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\" } ], "repeated": 0, "id": 6796 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748175e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" } ], "repeated": 0, "id": 6797 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6798 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6799 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8\\xdd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x84\\xde4\\xde(\\xde2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd0\\xe0\\xec\\x04\\xbc^\\xb8u2\\x04\\x00\\x00" } ], "repeated": 0, "id": 6800 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 6801 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6802 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6803 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xdd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xdd\\xa4\\xdd\\x98\\xdd2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00@\\xe0\\xec\\x04\\xbc^\\xb8u2\\x04\\x00\\x00" } ], "repeated": 0, "id": 6804 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\ShellEx\\{000214F9-0000-0000-C000-000000000046}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\ShellEx\\{000214F9-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 6805 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000432" }, { "name": "ObjectAttributesName", "value": "ShellEx\\{000214F9-0000-0000-C000-000000000046}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\ShellEx\\{000214F9-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 6806 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6807 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6808 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xdd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xfc\\xdd\\xac\\xdd\\xa0\\xddJ\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00H\\xe0\\xec\\x04\\xbc^\\xb8uJ\\x04\\x00\\x00" } ], "repeated": 0, "id": 6809 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\.exe\\ShellEx\\{000214F9-0000-0000-C000-000000000046}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe\\ShellEx\\{000214F9-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 6810 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000044a" }, { "name": "ObjectAttributesName", "value": "ShellEx\\{000214F9-0000-0000-C000-000000000046}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\ShellEx\\{000214F9-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 6811 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6812 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6813 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6814 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 6815 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000444" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 6816 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6817 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6818 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xdd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xde\\xb4\\xdd\\xa8\\xddF\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00P\\xe0\\xec\\x04\\xbc^\\xb8uF\\x04\\x00\\x00" } ], "repeated": 0, "id": 6819 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe\\ShellEx\\{000214F9-0000-0000-C000-000000000046}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\{000214F9-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 6820 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000446" }, { "name": "ObjectAttributesName", "value": "ShellEx\\{000214F9-0000-0000-C000-000000000046}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\{000214F9-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 6821 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6822 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6823 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xdc\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xdd\\x14\\xdd\\x08\\xdd2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xb0\\xdf\\xec\\x04\\xbc^\\xb8u2\\x04\\x00\\x00" } ], "repeated": 0, "id": 6824 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Clsid" } ], "repeated": 0, "id": 6825 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000432" }, { "name": "ObjectAttributesName", "value": "Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Clsid" } ], "repeated": 0, "id": 6826 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6827 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6828 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6829 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 6830 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000440" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\*" } ], "repeated": 0, "id": 6831 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6832 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6833 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xdd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xde\\xb4\\xdd\\xa8\\xddB\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00P\\xe0\\xec\\x04\\xbc^\\xb8uB\\x04\\x00\\x00" } ], "repeated": 0, "id": 6834 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\ShellEx\\{000214F9-0000-0000-C000-000000000046}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\ShellEx\\{000214F9-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 6835 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000442" }, { "name": "ObjectAttributesName", "value": "ShellEx\\{000214F9-0000-0000-C000-000000000046}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\ShellEx\\{000214F9-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 6836 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6837 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6838 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6839 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 6840 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 6841 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6842 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6843 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xdd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xde\\xb4\\xdd\\xa8\\xdd:\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00P\\xe0\\xec\\x04\\xbc^\\xb8u:\\x04\\x00\\x00" } ], "repeated": 0, "id": 6844 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\ShellEx\\{000214F9-0000-0000-C000-000000000046}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\ShellEx\\{000214F9-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 6845 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000043a" }, { "name": "ObjectAttributesName", "value": "ShellEx\\{000214F9-0000-0000-C000-000000000046}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\{000214F9-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 6846 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044a" } ], "repeated": 0, "id": 6847 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000432" } ], "repeated": 0, "id": 6848 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" } ], "repeated": 0, "id": 6849 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000442" } ], "repeated": 0, "id": 6850 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000043a" } ], "repeated": 0, "id": 6851 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 6852 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6853 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 6854 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 6855 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748129da", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000438" } ], "repeated": 0, "id": 6856 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x7481708d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000438" } ], "repeated": 0, "id": 6857 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x7481715c", "parentcaller": "0x748170b0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 6858 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x748170ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000438" } ], "repeated": 0, "id": 6859 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6860 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6861 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6862 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": ".exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 6863 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 6864 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6865 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000043a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6866 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf1\\xec\\xf0\\xe0\\xf0:\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x88\\xf3\\xec\\x04\\xbc^\\xb8u:\\x04\\x00\\x00" } ], "repeated": 0, "id": 6867 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 6868 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6869 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6870 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6871 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 6872 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000440" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 6873 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6874 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6875 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xf1l\\xf1`\\xf1B\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x08\\xf4\\xec\\x04\\xbc^\\xb8uB\\x04\\x00\\x00" } ], "repeated": 0, "id": 6876 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\CurVer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\CurVer" } ], "repeated": 0, "id": 6877 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000442" }, { "name": "ObjectAttributesName", "value": "CurVer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\CurVer" } ], "repeated": 0, "id": 6878 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6879 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6880 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xf2\\xfc\\xf1\\xf0\\xf1B\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x98\\xf4\\xec\\x04\\xbc^\\xb8uB\\x04\\x00\\x00" } ], "repeated": 0, "id": 6881 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 6882 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000444" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000442" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\" } ], "repeated": 0, "id": 6883 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748175e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000442" } ], "repeated": 0, "id": 6884 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6885 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6886 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf3d\\xf3X\\xf3F\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf6\\xec\\x04\\xbc^\\xb8uF\\x04\\x00\\x00" } ], "repeated": 0, "id": 6887 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 6888 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6889 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6890 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf4\\x14\\xf4\\x08\\xf4F\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xf6\\xec\\x04\\xbc^\\xb8uF\\x04\\x00\\x00" } ], "repeated": 0, "id": 6891 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 6892 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6893 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6894 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6895 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 6896 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000440" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 6897 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6898 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6899 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf4\\x14\\xf4\\x08\\xf4B\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xf6\\xec\\x04\\xbc^\\xb8uB\\x04\\x00\\x00" } ], "repeated": 0, "id": 6900 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 6901 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6902 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6903 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6904 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "Kind.program" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program" } ], "repeated": 0, "id": 6905 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000430" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Kind.program" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Kind.program" } ], "repeated": 0, "id": 6906 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Kind.program" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6907 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000432" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6908 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf4\\x14\\xf4\\x08\\xf42\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xf6\\xec\\x04\\xbc^\\xb8u2\\x04\\x00\\x00" } ], "repeated": 0, "id": 6909 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Kind.program" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program" } ], "repeated": 0, "id": 6910 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6911 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6912 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x08\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x94\\xf2D\\xf28\\xf2F\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0\\xf4\\xec\\x04\\xbc^\\xb8uF\\x04\\x00\\x00" } ], "repeated": 0, "id": 6913 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Clsid" } ], "repeated": 0, "id": 6914 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000446" }, { "name": "ObjectAttributesName", "value": "Clsid" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Clsid" } ], "repeated": 0, "id": 6915 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6916 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6917 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6918 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 6919 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000448" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\*" } ], "repeated": 0, "id": 6920 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6921 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000044a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6922 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf4\\x14\\xf4\\x08\\xf4J\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xf6\\xec\\x04\\xbc^\\xb8uJ\\x04\\x00\\x00" } ], "repeated": 0, "id": 6923 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 6924 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6925 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6926 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6927 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 6928 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000450" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 6929 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000452" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6930 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000452" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6931 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf4\\x14\\xf4\\x08\\xf4R\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xf6\\xec\\x04\\xbc^\\xb8uR\\x04\\x00\\x00" } ], "repeated": 0, "id": 6932 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 6933 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000043a" } ], "repeated": 0, "id": 6934 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" } ], "repeated": 0, "id": 6935 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000442" } ], "repeated": 0, "id": 6936 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000432" } ], "repeated": 0, "id": 6937 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044a" } ], "repeated": 0, "id": 6938 }, { "timestamp": "2026-06-29 22:15:02,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000452" } ], "repeated": 0, "id": 6939 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x76422e27", "parentcaller": "0x7678c4a4", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 6940 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6941 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6942 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b9fd84", "parentcaller": "0x753ca7ea", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000448" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 6943 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x76f679e9", "parentcaller": "0x753bdc27", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6944 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75ba68b3", "parentcaller": "0x75ba6840", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "164" } ], "repeated": 0, "id": 6945 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75ba67a1", "parentcaller": "0x75ba66ad", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000440" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" } ], "repeated": 0, "id": 6946 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75ba67f0", "parentcaller": "0x75ba66ad", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000440" } ], "repeated": 0, "id": 6947 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75ba67a1", "parentcaller": "0x75ba66f3", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000440" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" } ], "repeated": 0, "id": 6948 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75ba67f0", "parentcaller": "0x75ba66f3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000440" } ], "repeated": 0, "id": 6949 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6950 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000440" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\OLE\\AppCompat" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat" } ], "repeated": 0, "id": 6951 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x758a0a86", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000440" } ], "repeated": 0, "id": 6952 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6953 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6954 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "AppID\\invoice_231836298371.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\invoice_231836298371.exe" } ], "repeated": 0, "id": 6955 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\AppID\\invoice_231836298371.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\AppID\\invoice_231836298371.exe" } ], "repeated": 0, "id": 6956 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6957 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "AppID\\invoice_231836298371.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\invoice_231836298371.exe" } ], "repeated": 0, "id": 6958 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\AppID\\invoice_231836298371.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\AppID\\invoice_231836298371.exe" } ], "repeated": 0, "id": 6959 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6960 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000440" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\OLE\\AppCompat" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat" } ], "repeated": 0, "id": 6961 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x757d0f0e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000440" } ], "repeated": 0, "id": 6962 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 6963 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000440" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\OLE" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE" } ], "repeated": 0, "id": 6964 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x7588f5b7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000444" } ], "repeated": 0, "id": 6965 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x7588f5d0", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6966 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x7588f60a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00Mk\\x00`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00" } ], "repeated": 0, "id": 6967 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7588f635", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000444" } ], "repeated": 0, "id": 6968 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b94081", "parentcaller": "0x757d2447", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x0000001e" } ], "repeated": 0, "id": 6969 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x76f679e9", "parentcaller": "0x753bdc27", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6970 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x757d11a0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000440" } ], "repeated": 0, "id": 6971 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6972 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6973 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006bf000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6974 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x757d340e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000440" } ], "repeated": 0, "id": 6975 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6976 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6977 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x76f679e9", "parentcaller": "0x753bdc27", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6978 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b8f5ef", "parentcaller": "0x757fa36f", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "EventName", "value": "MSFT.VSA.COM.DISABLE.3236" } ], "repeated": 0, "id": 6979 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b8f5ef", "parentcaller": "0x75b92e4d", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "EventName", "value": "MSFT.VSA.IEC.STATUS.6c736db0" } ], "repeated": 0, "id": 6980 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6981 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6982 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "Interface\\{00000134-0000-0000-C000-000000000046}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 6983 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 6984 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6985 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6986 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xeb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x1c\\xec\\xcc\\xeb\\xc0\\xebn\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00h\\xee\\xec\\x04\\xbc^\\xb8un\\x04\\x00\\x00" } ], "repeated": 0, "id": 6987 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32" } ], "repeated": 0, "id": 6988 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000470" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000046e" }, { "name": "ObjectAttributesName", "value": "ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32" } ], "repeated": 0, "id": 6989 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000472" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6990 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000472" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6991 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xeb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xeb\\xa4\\xeb\\x98\\xebr\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xee\\xec\\x04\\xbc^\\xb8ur\\x04\\x00\\x00" } ], "repeated": 0, "id": 6992 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32" } ], "repeated": 0, "id": 6993 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7580fd35", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000472" } ], "repeated": 0, "id": 6994 }, { "timestamp": "2026-06-29 22:15:04,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7580fd41", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046e" } ], "repeated": 0, "id": 6995 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f679e9", "parentcaller": "0x753bdc27", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6996 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x753bcc42", "parentcaller": "0x753bc651", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000046c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 6997 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x753bccd3", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000470" } ], "repeated": 0, "id": 6998 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f569f0", "parentcaller": "0x76f59426", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xee\\x7f\\x1c\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6999 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59094", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe4\\x7fi\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00y\\x00s\\x00W\\x00O\\x00W\\x006\\x004\\x00\\\\x00p\\x00r\\x00o\\x00p\\x00s\\x00y\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00" } ], "repeated": 0, "id": 7000 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590d3", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "`\\xcck\\x00`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7001 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590f0", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7002 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5912f", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "lok\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 7003 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59148", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7004 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59183", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xdcEh\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 7005 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59210", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x86UtX\\xa3Ut\\x06\\x00\\x00\\x00D\\xa3Ut`\\x00\\x00\\x00\\xd8Eh\\x00\\x00\\x00#\\x00\\xa4\\xef\\x98\\xefp\\x04\\x00\\x00\\x8c\\x03\\x00\\x00\\x00\\x00e\\x00#\\x00\\x00\\xc0p\\x04\\x00\\x00\\xec\\xef\\xec\\x04\\x83\\x91\\xf5vp\\x04\\x00\\x00" } ], "repeated": 0, "id": 7006 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5923e", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\xac\\xdf]t\\xcc\\xa2\\x7f\\x02\\x8c\\x03z\\x02#\\x00\\x00\\xc0\\xbc\\xa93t\\x0cC{p\\x94\\xea\\xec\\x04p\\x04\\x00\\x00H\\xf9\\xec\\x04\\x10\\xf4Jt\\xd8K\\xc1\\x00\\xfe\\xff\\xff\\xff\\xa4\\xef\\xec\\x04v\\x1b7t\\x17\\x00\\x00\\x00\\x8c}Utt\\xa3Ut" } ], "repeated": 0, "id": 7007 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006c1000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7008 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f569f0", "parentcaller": "0x76f57121", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xee\\x7f\\x1c\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7009 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59094", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe4zi\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00p\\x00r\\x00o\\x00p\\x00s\\x00y\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00" } ], "repeated": 0, "id": 7010 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590d3", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x98\\xc8k\\x00`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7011 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590f0", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7012 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5912f", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\pk\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 7013 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59148", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7014 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59183", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "lCh\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 7015 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59210", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x86UtX\\xa3Ut\\x06\\x00\\x00\\x00D\\xa3Ut`\\x00\\x00\\x00hCh\\x00\\x00\\x00#\\x00\\x8c\\xed\\x80\\xedp\\x04\\x00\\x00\\x8c\\x03\\x00\\x00\\x00\\x00e\\x00#\\x00\\x00\\xc0p\\x04\\x00\\x00\\xd4\\xed\\xec\\x04\\x83\\x91\\xf5vp\\x04\\x00\\x00" } ], "repeated": 0, "id": 7016 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5923e", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\xac\\xdf]t\\xcc\\xa2\\x7f\\x02\\x8c\\x03z\\x02#\\x00\\x00\\xc0\\xbc\\xa93tdA{p|\\xe8\\xec\\x04p\\x04\\x00\\x00H\\xf9\\xec\\x04\\x10\\xf4Jt\\xd8K\\xc1\\x00\\xfe\\xff\\xff\\xff\\x8c\\xed\\xec\\x04v\\x1b7t\\x17\\x00\\x00\\x00\\x8c}Utt\\xa3Ut" } ], "repeated": 0, "id": 7017 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x753bcd23", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046c" } ], "repeated": 0, "id": 7018 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x753bcd3c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000470" } ], "repeated": 0, "id": 7019 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x757d409f", "parentcaller": "0x757d3fd2", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7020 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b94081", "parentcaller": "0x757d4069", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x75760000" } ], "repeated": 0, "id": 7021 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75ba5297", "parentcaller": "0x75150f37", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000474" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7588cf60" }, { "name": "Parameter", "value": "0x006b6ec8" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "2436" }, { "name": "ProcessId", "value": "3236" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 7022 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75ba5297", "parentcaller": "0x75150f37", "category": "threading", "api": "CreateThread", "status": true, "return": "0x00000474", "arguments": [ { "name": "StartRoutine", "value": "0x7588cf60" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "Parameter", "value": "0x006b6ec8" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "2436" } ], "repeated": 0, "id": 7023 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x757d4006", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 7024 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f679e9", "parentcaller": "0x753bdc27", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7025 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x753bcc42", "parentcaller": "0x753bc651", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000474" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 7026 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x753bccd3", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000047c" } ], "repeated": 0, "id": 7027 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f569f0", "parentcaller": "0x76f59426", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xee\\x7f\\x1c\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7028 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59094", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "$wi\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\x00\\x00B\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7029 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590d3", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "H\\xc9k\\x00`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7030 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590f0", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7031 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5912f", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "tlk\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 7032 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59148", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7033 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59183", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xdcEh\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 7034 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59210", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x86UtX\\xa3Ut\\x06\\x00\\x00\\x00D\\xa3Ut`\\x00\\x00\\x00\\xd8Eh\\x00\\x00\\x00#\\x00\\xc4\\xf2\\xb8\\xf2|\\x04\\x00\\x00\\x8c\\x03\\x00\\x00\\x00\\x00e\\x00#\\x00\\x00\\xc0|\\x04\\x00\\x00\\x0c\\xf3\\xec\\x04\\x83\\x91\\xf5v|\\x04\\x00\\x00" } ], "repeated": 0, "id": 7035 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5923e", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\xac\\xdf]t\\xcc\\xa2\\x7f\\x02\\x8c\\x03z\\x02#\\x00\\x00\\xc0\\xbc\\xa93t,^{p\\xb4\\xed\\xec\\x04|\\x04\\x00\\x00\\x1c\\xfd\\xec\\x04\\x10\\xf4Jt\\xd8K\\xc1\\x00\\xfe\\xff\\xff\\xff\\xc4\\xf2\\xec\\x04v\\x1b7t\\x17\\x00\\x00\\x00\\x8c}Utt\\xa3Ut" } ], "repeated": 0, "id": 7036 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f569f0", "parentcaller": "0x76f57121", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xee\\x7f\\x1c\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7037 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59094", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "Tyi\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7038 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590d3", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "8\\xc7k\\x00`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7039 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590f0", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7040 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5912f", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xbcok\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 7041 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59148", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7042 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59183", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "lCh\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 7043 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59210", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x86UtX\\xa3Ut\\x06\\x00\\x00\\x00D\\xa3Ut`\\x00\\x00\\x00hCh\\x00\\x00\\x00#\\x00\\xac\\xf0\\xa0\\xf0|\\x04\\x00\\x00\\x8c\\x03\\x00\\x00\\x00\\x00e\\x00#\\x00\\x00\\xc0|\\x04\\x00\\x00\\xf4\\xf0\\xec\\x04\\x83\\x91\\xf5v|\\x04\\x00\\x00" } ], "repeated": 0, "id": 7044 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5923e", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\xac\\xdf]t\\xcc\\xa2\\x7f\\x02\\x8c\\x03z\\x02#\\x00\\x00\\xc0\\xbc\\xa93t\\x04\\{p\\x9c\\xeb\\xec\\x04|\\x04\\x00\\x00\\x1c\\xfd\\xec\\x04\\x10\\xf4Jt\\xd8K\\xc1\\x00\\xfe\\xff\\xff\\xff\\xac\\xf0\\xec\\x04v\\x1b7t\\x17\\x00\\x00\\x00\\x8c}Utt\\xa3Ut" } ], "repeated": 0, "id": 7045 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x753bcd23", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 7046 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x753bcd3c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047c" } ], "repeated": 0, "id": 7047 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f679e9", "parentcaller": "0x753bdc27", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7048 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x753bcc42", "parentcaller": "0x753bc651", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000047c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 7049 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x753bccd3", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000048c" } ], "repeated": 0, "id": 7050 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f569f0", "parentcaller": "0x76f59426", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xee\\x7f\\x1c\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7051 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59094", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x14xi\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\x00\\x00B\\x00\\x00\\x00l\\x00l\\x00\\x00\\x00" } ], "repeated": 0, "id": 7052 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590d3", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe8\\xc7k\\x00`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7053 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590f0", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7054 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5912f", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x1cok\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 7055 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59148", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7056 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59183", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xdcEh\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 7057 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59210", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x86UtX\\xa3Ut\\x06\\x00\\x00\\x00D\\xa3Ut`\\x00\\x00\\x00\\xd8Eh\\x00\\x00\\x00#\\x00\\xc4\\xf2\\xb8\\xf2\\x8c\\x04\\x00\\x00\\x8c\\x03\\x00\\x00\\x00\\x00e\\x00#\\x00\\x00\\xc0\\x8c\\x04\\x00\\x00\\x0c\\xf3\\xec\\x04\\x83\\x91\\xf5v\\x8c\\x04\\x00\\x00" } ], "repeated": 0, "id": 7058 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5923e", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\xac\\xdf]t\\xcc\\xa2\\x7f\\x02\\x8c\\x03z\\x02#\\x00\\x00\\xc0\\xbc\\xa93t,^{p\\xb4\\xed\\xec\\x04\\x8c\\x04\\x00\\x00\\x1c\\xfd\\xec\\x04\\x10\\xf4Jt\\xd8K\\xc1\\x00\\xfe\\xff\\xff\\xff\\xc4\\xf2\\xec\\x04v\\x1b7t\\x17\\x00\\x00\\x00\\x8c}Utt\\xa3Ut" } ], "repeated": 0, "id": 7059 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f569f0", "parentcaller": "0x76f57121", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xee\\x7f\\x1c\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7060 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59094", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xc4wi\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7061 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590d3", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " \\xc4k\\x00`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7062 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590f0", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7063 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5912f", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "Tnk\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 7064 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59148", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7065 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59183", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "DFh\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 7066 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59210", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x86UtX\\xa3Ut\\x06\\x00\\x00\\x00D\\xa3Ut`\\x00\\x00\\x00@Fh\\x00\\x00\\x00#\\x00\\xac\\xf0\\xa0\\xf0\\x8c\\x04\\x00\\x00\\x8c\\x03\\x00\\x00\\x00\\x00e\\x00#\\x00\\x00\\xc0\\x8c\\x04\\x00\\x00\\xf4\\xf0\\xec\\x04\\x83\\x91\\xf5v\\x8c\\x04\\x00\\x00" } ], "repeated": 0, "id": 7067 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5923e", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\xac\\xdf]t\\xcc\\xa2\\x7f\\x02\\x8c\\x03z\\x02#\\x00\\x00\\xc0\\xbc\\xa93t\\x04\\{p\\x9c\\xeb\\xec\\x04\\x8c\\x04\\x00\\x00\\x1c\\xfd\\xec\\x04\\x10\\xf4Jt\\xd8K\\xc1\\x00\\xfe\\xff\\xff\\xff\\xac\\xf0\\xec\\x04v\\x1b7t\\x17\\x00\\x00\\x00\\x8c}Utt\\xa3Ut" } ], "repeated": 0, "id": 7068 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x753bcd23", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047c" } ], "repeated": 0, "id": 7069 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x753bcd3c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 7070 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f679e9", "parentcaller": "0x753bdc27", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7071 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x753bcc42", "parentcaller": "0x753bc651", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000048c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 7072 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x753bccd3", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000047c" } ], "repeated": 0, "id": 7073 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f569f0", "parentcaller": "0x76f59426", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xee\\x7f\\x1c\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7074 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59094", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xc4|i\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7075 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590d3", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x10\\xcdk\\x00`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7076 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590f0", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7077 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5912f", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xb4mk\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 7078 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59148", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7079 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59183", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xacFh\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 7080 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59210", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x86UtX\\xa3Ut\\x06\\x00\\x00\\x00D\\xa3Ut`\\x00\\x00\\x00\\xa8Fh\\x00\\x00\\x00#\\x00\\xc4\\xf2\\xb8\\xf2|\\x04\\x00\\x00\\x8c\\x03\\x00\\x00\\x00\\x00e\\x00#\\x00\\x00\\xc0|\\x04\\x00\\x00\\x0c\\xf3\\xec\\x04\\x83\\x91\\xf5v|\\x04\\x00\\x00" } ], "repeated": 0, "id": 7081 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5923e", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\xac\\xdf]t\\xcc\\xa2\\x7f\\x02\\x8c\\x03z\\x02#\\x00\\x00\\xc0\\xbc\\xa93t,^{p\\xb4\\xed\\xec\\x04|\\x04\\x00\\x00\\x1c\\xfd\\xec\\x04\\x10\\xf4Jt\\xd8K\\xc1\\x00\\xfe\\xff\\xff\\xff\\xc4\\xf2\\xec\\x04v\\x1b7t\\x17\\x00\\x00\\x00\\x8c}Utt\\xa3Ut" } ], "repeated": 0, "id": 7082 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f569f0", "parentcaller": "0x76f57121", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xee\\x7f\\x1c\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7083 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59094", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe4\\x7fi\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00y\\x00s\\x00W\\x00O\\x00W\\x006\\x004\\x00\\\\x00p\\x00r\\x00o\\x00p\\x00s\\x00y\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00" } ], "repeated": 0, "id": 7084 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590d3", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x88\\xc6k\\x00`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7085 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590f0", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7086 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5912f", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "tlk\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 7087 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59148", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7088 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59183", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xdcEh\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 7089 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59210", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x86UtX\\xa3Ut\\x06\\x00\\x00\\x00D\\xa3Ut`\\x00\\x00\\x00\\xd8Eh\\x00\\x00\\x00#\\x00\\xac\\xf0\\xa0\\xf0|\\x04\\x00\\x00\\x8c\\x03\\x00\\x00\\x00\\x00e\\x00#\\x00\\x00\\xc0|\\x04\\x00\\x00\\xf4\\xf0\\xec\\x04\\x83\\x91\\xf5v|\\x04\\x00\\x00" } ], "repeated": 0, "id": 7090 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5923e", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\xac\\xdf]t\\xcc\\xa2\\x7f\\x02\\x8c\\x03z\\x02#\\x00\\x00\\xc0\\xbc\\xa93t\\x04\\{p\\x9c\\xeb\\xec\\x04|\\x04\\x00\\x00\\x1c\\xfd\\xec\\x04\\x10\\xf4Jt\\xd8K\\xc1\\x00\\xfe\\xff\\xff\\xff\\xac\\xf0\\xec\\x04v\\x1b7t\\x17\\x00\\x00\\x00\\x8c}Utt\\xa3Ut" } ], "repeated": 0, "id": 7091 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x753bcd23", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 7092 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x753bcd3c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047c" } ], "repeated": 0, "id": 7093 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f679e9", "parentcaller": "0x753bdc27", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7094 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x753bcc42", "parentcaller": "0x753bc651", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000047c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 7095 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x753bccd3", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000048c" } ], "repeated": 0, "id": 7096 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f569f0", "parentcaller": "0x76f59426", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xee\\x7f\\x1c\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7097 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59094", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xc4wi\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7098 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590d3", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x18\\xcek\\x00`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7099 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590f0", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7100 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5912f", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xe4ok\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 7101 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59148", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7102 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59183", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "|Gh\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 7103 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59210", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x86UtX\\xa3Ut\\x06\\x00\\x00\\x00D\\xa3Ut`\\x00\\x00\\x00xGh\\x00\\x00\\x00#\\x00\\xc4\\xf2\\xb8\\xf2\\x8c\\x04\\x00\\x00\\x8c\\x03\\x00\\x00\\x00\\x00e\\x00#\\x00\\x00\\xc0\\x8c\\x04\\x00\\x00\\x0c\\xf3\\xec\\x04\\x83\\x91\\xf5v\\x8c\\x04\\x00\\x00" } ], "repeated": 0, "id": 7104 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5923e", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\xac\\xdf]t\\xcc\\xa2\\x7f\\x02\\x8c\\x03z\\x02#\\x00\\x00\\xc0\\xbc\\xa93t,^{p\\xb4\\xed\\xec\\x04\\x8c\\x04\\x00\\x00\\x1c\\xfd\\xec\\x04\\x10\\xf4Jt\\xd8K\\xc1\\x00\\xfe\\xff\\xff\\xff\\xc4\\xf2\\xec\\x04v\\x1b7t\\x17\\x00\\x00\\x00\\x8c}Utt\\xa3Ut" } ], "repeated": 0, "id": 7105 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f569f0", "parentcaller": "0x76f57121", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xee\\x7f\\x1c\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7106 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59094", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x04~i\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7107 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590d3", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xf0\\xc8k\\x00`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7108 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f590f0", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7109 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5912f", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x0cpk\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 7110 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59148", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7111 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59183", "parentcaller": "0x76f56a95", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "lCh\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 7112 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f59210", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x86UtX\\xa3Ut\\x06\\x00\\x00\\x00D\\xa3Ut`\\x00\\x00\\x00hCh\\x00\\x00\\x00#\\x00\\xac\\xf0\\xa0\\xf0\\x8c\\x04\\x00\\x00\\x8c\\x03\\x00\\x00\\x00\\x00e\\x00#\\x00\\x00\\xc0\\x8c\\x04\\x00\\x00\\xf4\\xf0\\xec\\x04\\x83\\x91\\xf5v\\x8c\\x04\\x00\\x00" } ], "repeated": 0, "id": 7113 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f5923e", "parentcaller": "0x76f59193", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\xac\\xdf]t\\xcc\\xa2\\x7f\\x02\\x8c\\x03z\\x02#\\x00\\x00\\xc0\\xbc\\xa93t\\x04\\{p\\x9c\\xeb\\xec\\x04\\x8c\\x04\\x00\\x00\\x1c\\xfd\\xec\\x04\\x10\\xf4Jt\\xd8K\\xc1\\x00\\xfe\\xff\\xff\\xff\\xac\\xf0\\xec\\x04v\\x1b7t\\x17\\x00\\x00\\x00\\x8c}Utt\\xa3Ut" } ], "repeated": 0, "id": 7114 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x753bcd23", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047c" } ], "repeated": 0, "id": 7115 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x753bcd3c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 7116 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f679e9", "parentcaller": "0x757d2567", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7117 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006c3000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7118 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "348", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006c5000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7119 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "348", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7120 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "348", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 7121 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "348", "caller": "0x75b9fd84", "parentcaller": "0x753ca7ea", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000047c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 7122 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "348", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006c6000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7123 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "1140", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006c8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7124 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "1140", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7125 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "1140", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 7126 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7127 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" } ], "repeated": 0, "id": 7128 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000426" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7129 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000426" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7130 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5&\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u&\\x04\\x00\\x00" } ], "repeated": 0, "id": 7131 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 7132 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7133 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7134 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006c9000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7135 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7136 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" } ], "repeated": 0, "id": 7137 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000494" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" } ], "repeated": 0, "id": 7138 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000496" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7139 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000496" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7140 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf4\\x96\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8u\\x96\\x04\\x00\\x00" } ], "repeated": 0, "id": 7141 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}" } ], "repeated": 0, "id": 7142 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000496" } ], "repeated": 0, "id": 7143 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b83595", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7144 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b86683", "parentcaller": "0x75b83600", "category": "registry", "api": "NtCreateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000494" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "Class", "value": "" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 7145 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b86ba5", "parentcaller": "0x75b8341e", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000494" }, { "name": "ValueName", "value": "SlowContextMenuEntries" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Buffer", "value": "`$\\xb2!\\xea:i\\x10\\xa2\\xdc\\x08\\x00+00\\x9d\\x87\\x01\\x00\\x00\\xbd\\x0e\\x0cGs]XM\\x9c\\xed\\xe9\\x1e\"\\xe22\\x822\\x02\\x00\\x00\\x01\\x14\\x02\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00FR\\x02\\x00\\x00v\\x96\\xbf\\xe2\\x8f_\\C\\x97\\xeb\\x11`z[\\xed\\xf7\\xdb\\x00\\x00\\x00@\\xc7\\xa4{\\x81\\x9e\\xcf\\x11\\x99\\xd3\\x00\\xaa\\x00J\\xe87\\xaf\n\\x00\\x00" }, { "name": "BufferLength", "value": "100" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SlowContextMenuEntries" } ], "repeated": 0, "id": 7146 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764a16ea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" } ], "repeated": 0, "id": 7147 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76422cf3", "parentcaller": "0x7678c17e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7148 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7149 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7150 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7151 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 7152 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 7153 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7652844f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000494" } ], "repeated": 0, "id": 7154 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 7155 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7652844f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" } ], "repeated": 0, "id": 7156 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7157 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7158 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7159 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}\\InProcServer32" } ], "repeated": 0, "id": 7160 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000494" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}\\InProcServer32" } ], "repeated": 0, "id": 7161 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000496" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7162 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000496" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7163 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xee$\\xee\\x18\\xee\\x96\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf0\\xec\\x04\\xbc^\\xb8u\\x96\\x04\\x00\\x00" } ], "repeated": 0, "id": 7164 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}\\InProcServer32" } ], "repeated": 0, "id": 7165 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000496" } ], "repeated": 0, "id": 7166 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7167 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}" } ], "repeated": 0, "id": 7168 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000426" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7169 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000426" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7170 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5&\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u&\\x04\\x00\\x00" } ], "repeated": 0, "id": 7171 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 7172 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7173 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7174 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7175 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}" } ], "repeated": 0, "id": 7176 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000494" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}" } ], "repeated": 0, "id": 7177 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000496" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7178 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000496" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7179 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf4\\x96\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8u\\x96\\x04\\x00\\x00" } ], "repeated": 0, "id": 7180 }, { "timestamp": "2026-06-29 22:15:04,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}" } ], "repeated": 0, "id": 7181 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000496" } ], "repeated": 0, "id": 7182 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7183 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7184 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7185 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 7186 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 7187 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7652844f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000494" } ], "repeated": 0, "id": 7188 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 7189 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7652844f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" } ], "repeated": 0, "id": 7190 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7191 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7192 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7193 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}\\InProcServer32" } ], "repeated": 0, "id": 7194 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000494" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}\\InProcServer32" } ], "repeated": 0, "id": 7195 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000496" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7196 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000496" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7197 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xee$\\xee\\x18\\xee\\x96\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf0\\xec\\x04\\xbc^\\xb8u\\x96\\x04\\x00\\x00" } ], "repeated": 0, "id": 7198 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}\\InProcServer32" } ], "repeated": 0, "id": 7199 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000496" } ], "repeated": 0, "id": 7200 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7201 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}" } ], "repeated": 0, "id": 7202 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7203 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7204 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5\\x1e\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u\\x1e\\x04\\x00\\x00" } ], "repeated": 0, "id": 7205 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 7206 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7207 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7208 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7209 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}" } ], "repeated": 0, "id": 7210 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000474" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}" } ], "repeated": 0, "id": 7211 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000476" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7212 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000476" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7213 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf4v\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8uv\\x04\\x00\\x00" } ], "repeated": 0, "id": 7214 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" } ], "repeated": 0, "id": 7215 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000476" } ], "repeated": 0, "id": 7216 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7217 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000474" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 7218 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 7219 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7220 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000474" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 7221 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 7222 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 7223 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006ca000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7224 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 7225 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000474" } ], "repeated": 0, "id": 7226 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7227 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0\\xd3\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7228 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000494" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 7229 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000494" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 7230 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" } ], "repeated": 0, "id": 7231 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe4\\xd1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xffd\\xd2\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0st\\x88\\xd2\\xec\\x04\\x84\\xd2\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 7232 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000494" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 7233 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000498" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000494" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 7234 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" } ], "repeated": 0, "id": 7235 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 7236 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 7237 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000498" } ], "repeated": 0, "id": 7238 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7239 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0\\xd3\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7240 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000474" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 7241 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000474" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 7242 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 7243 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7244 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000474" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 7245 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 7246 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0d92", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 7247 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000474" } ], "repeated": 0, "id": 7248 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7249 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0\\xd3\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7250 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000498" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 7251 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000498" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 7252 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 7253 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe4\\xd1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xffd\\xd2\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0st\\x88\\xd2\\xec\\x04\\x84\\xd2\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 7254 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000498" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 7255 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000494" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000498" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 7256 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 7257 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 7258 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" } ], "repeated": 0, "id": 7259 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000494" } ], "repeated": 0, "id": 7260 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7261 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0\\xd3\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7262 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" } ], "repeated": 0, "id": 7263 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000494" } ], "repeated": 0, "id": 7264 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7265 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0\\xd3\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7266 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" } ], "repeated": 0, "id": 7267 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000494" } ], "repeated": 0, "id": 7268 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7269 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0\\xd3\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7270 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000474" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 7271 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000474" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 7272 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 7273 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe4\\xd1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xffd\\xd2\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0st\\x88\\xd2\\xec\\x04\\x84\\xd2\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 7274 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000474" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 7275 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000498" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000474" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 7276 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 7277 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" } ], "repeated": 0, "id": 7278 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 7279 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000498" } ], "repeated": 0, "id": 7280 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7281 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0\\xd3\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7282 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 7283 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x747c69db", "parentcaller": "0x747c62a0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7284 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7285 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7286 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8fb07", "parentcaller": "0x7411564c", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "MutexName", "value": "Local\\SM0:3236:168:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 7287 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x741155b5", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 7288 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7289 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 7290 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x741176b6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" } ], "repeated": 0, "id": 7291 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b94290", "parentcaller": "0x741155e8", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 7292 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b8fb07", "parentcaller": "0x741154c7", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "MutexName", "value": "Local\\SM0:3236:64:WilError_03" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 7293 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x741155b5", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 7294 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7295 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 7296 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x741176b6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" } ], "repeated": 0, "id": 7297 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b94290", "parentcaller": "0x741155e8", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 7298 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7299 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7300 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75ba4eeb", "parentcaller": "0x75608c21", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 7301 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75ba5297", "parentcaller": "0x75150f37", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x0000049c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x755fcda0" }, { "name": "Parameter", "value": "0x022c3908" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "408" }, { "name": "ProcessId", "value": "3236" }, { "name": "Module", "value": "SHCORE.dll" } ], "repeated": 0, "id": 7302 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75ba5297", "parentcaller": "0x75150f37", "category": "threading", "api": "CreateThread", "status": true, "return": "0x0000049c", "arguments": [ { "name": "StartRoutine", "value": "0x755fcda0" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "Parameter", "value": "0x022c3908" }, { "name": "CreationFlags", "value": "0x00000004" }, { "name": "ThreadId", "value": "408" } ], "repeated": 0, "id": 7303 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75babca3", "parentcaller": "0x755fcd13", "category": "threading", "api": "NtResumeThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x0000049c" }, { "name": "SuspendCount", "value": "1" }, { "name": "ThreadId", "value": "408" }, { "name": "ProcessId", "value": "3236" } ], "repeated": 0, "id": 7304 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75623c8a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000049c" } ], "repeated": 0, "id": 7305 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75609b9f", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 7306 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006cc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7307 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7308 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 7309 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7560a1ce", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 7310 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x756090b3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 7311 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75ba4eeb", "parentcaller": "0x7562f035", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x10!\\x00\\xa4\\x0c\\x00\\x00\\x98\\x01\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "408" } ], "repeated": 0, "id": 7312 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7313 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7314 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7315 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x741a4000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7316 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75888234", "parentcaller": "0x758863b8", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004a8" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Microsoft\\WindowsRuntime" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsRuntime" } ], "repeated": 0, "id": 7317 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75888234", "parentcaller": "0x75831959", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ac" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000004a8" }, { "name": "ObjectAttributesName", "value": "ActivatableClassId" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId" } ], "repeated": 0, "id": 7318 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x758817d7", "parentcaller": "0x75831999", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004b0" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000004ac" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.FileTypeAssociation" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation" } ], "repeated": 0, "id": 7319 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75881887", "parentcaller": "0x75881832", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004b0" }, { "name": "KeyInformation", "value": "y\\x1f\\x10\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00h\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00F\\x00i\\x00l\\x00e\\x00T\\x00y\\x00p\\x00e\\x00A\\x00s\\x00s\\x00o\\x00c\\x00i\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\xffbc\\xfff4j\\x05\\xffde]\\xfff4v\\x14yi\\x00\\xffde]\\xfff4v\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H4j\\x00H4j\\x00hok\\x00H4j\\x00\\x08\\xfff5j\\x05\\xff84\\x006t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00PY\\xfffdq4\\xff82\\xff88u\\x00\\x00\\x00\\x00\\xffb8c\\xff88u<\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff0\\xfff5j\\x05\\xff84\\x006t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00hY\\xfffdq4\\xff82\\xff88u\\x00\\x00\\x00\\x00Y\\x19\\xff83u>\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\x00\\x00k\\x05\\x00\\x00\\x00\\x00\\xfff8\\xfff4j\\x05/\\xffde5t\\xffcc\\xffffj\\x054\\xff82\\xff88u\\xffd8\\xffbcWtY\\x19\\xff83up\\xfff5j\\x05\\xffa6\\xffe45t\\xffd8%Ut\\x00Y\\xfffdq\\xff98\\xfff0j\\x05\\xffd8\\xffbcWt\\xffcc\\xffffj\\x05\\x10\\xfff4Jt\\xffd8K\\xffc1\\x00\\xfffe\\xffff\\xffff\\xffff\\xffbc\\xfff5j\\x05\\xffdfj7t\\x18\\x00\\x00\\x00\\xffa8\\xffacUt\\xffa0\\xffb2Ut\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff99\\xffb2Ut\\xffbc\\xffb1Ut\\xffa8\\xff8fj\\x00\\xffd8hUt\\x19\\x01\\x02\\x00d\\xffb2Ut\\xffa8\\x04\\x00\\x00L\\xffb2Ut\\x10\\xfff6j\\x05J\\x13\\xff81\\x1bX\\xffb0k\\x00\\xffa8\\x04\\x00\\x00\\xffa8\\xff8fj\\x00\\xffa8\\xff8f\\x00\\x00\\xff98\\xfff5j\\x05X\\xffb0k\\x00\\xffcc\\xffffj\\x05@\\xffad\\xfff7v&#\\xffebi\\xfffe\\xffff\\xffff\\xffff\\xfff4\\xfff5j\\x05;\\xff82\\xff88u\\x00\\x00\\x00\\x00\\xffa8\\x04\\x00\\x00xlk\\x00\\x18\\x00\\x00\\x00\\xffa8\\x04\\x00\\x00\\x10\\xfff6j\\x05@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0b\\xff88u(\\xfff6j\\x05Y\\x19\\xff83u\\x19\\x01\\x02\\x00\\xffa8\\xff8fj\\x00\\x00c\\xff88u\\xffa0\\xff8fj\\x00pok\\x00$\\x00&\\x00p\\xffb0k\\x00D\\xfff6j\\x05@\\xffa0\\xff82u\\x00B\\xff89uplk\\x00<\\xfff6j\\x05\\x1cc\\xff88u" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 7320 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000004b0" }, { "name": "ObjectAttributesName", "value": "CustomAttributes" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\CustomAttributes" } ], "repeated": 0, "id": 7321 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7322 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\OLE\\Diagnosis" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\Diagnosis" } ], "repeated": 0, "id": 7323 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75888234", "parentcaller": "0x75831959", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004b4" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000004a8" }, { "name": "ObjectAttributesName", "value": "Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server" } ], "repeated": 0, "id": 7324 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x758817d7", "parentcaller": "0x75831999", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004b8" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000004b4" }, { "name": "ObjectAttributesName", "value": "StateRepository" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository" } ], "repeated": 0, "id": 7325 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75881887", "parentcaller": "0x75881832", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004b8" }, { "name": "KeyInformation", "value": "\\xffcek|\\xffd3\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00\\x00\\x00\\xffac\\xffafk\\x00\\xff98\\xfffbj\\x00\\xffa0kk\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xffcc\\x01\\x02\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00l\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00h\\x08\\x02\\x00\\x08\\xffbfWt\\xffa4\\xfff1j\\x05\\xffde]\\xfff4v4|i\\x00\\xffde]\\xfff4v\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xffb3k\\x00p\\xffb3k\\x00\\xff90ok\\x00p\\xffb3k\\x00\\xffad[\\xff91u0\\xfff3j\\x05\\xff93\\x0c\\xff83u(\\xffc1j\\x00`\t\\xff83u |i\\x00\\xfff4\\x0c\\xff83u\\x00\\x00\\x00\\x00\\xffda6>t |i\\x00\\x18\\xfff2j\\x05\\xff84\\x006t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@^\\xfffdq4\\xff82\\xff88u\\x00\\x00\\x00\\x00Y\\x19\\xff83u9\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\x00\\x00k\\x05\\x00\\x00\\x00\\x00\\xffe0\\xfff1j\\x05/\\xffde5t\\xffcc\\xffffj\\x054\\xff82\\xff88u\\xffd8\\xffbcWtY\\x19\\xff83uX\\xfff2j\\x05\\xffa6\\xffe45t\\xffd8%Ut\\x18^\\xfffdq\\xff80\\xffedj\\x05\\xffd8\\xffbcWt\\xffcc\\xffffj\\x05\\x10\\xfff4Jt\\xffd8K\\xffc1\\x00\\xfffe\\xffff\\xffff\\xffff\\xffa4\\xfff2j\\x05\\xffdfj7t\\x18\\x00\\x00\\x00\\xffa8\\xffacUt\\xffa0\\xffb2Ut\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff99\\xffb2Ut\\xffbc\\xffb1Ut0\\xffc1j\\x00\\xffd8hUt\\x19\\x01\\x02\\x00d\\xffb2Ut\\xffa8\\x04\\x00\\x00L\\xffb2Ut\\xfff8\\xfff2j\\x05\"\\x14\\xff81\\x1b\\xffd8\\xffbfj\\x00\\xffa8\\x04\\x00\\x000\\xffc1j\\x000\\xffc1\\x00\\x00\\xff80\\xfff2j\\x05\\xffd8\\xffbfj\\x00\\xffcc\\xffffj\\x05@\\xffad\\xfff7v&#\\xffebi\\xfffe\\xffff\\xffff\\xffff\\xffdc\\xfff2j\\x05;\\xff82\\xff88u\\x00\\x00\\x00\\x00\\xffa8\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xffa8\\x04\\x00\\x00\\xfff8\\xfff2j\\x05@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff4\\xfff2j\\x05\\x10\\xfff3j\\x05Y\\x19\\xff83u\\x19\\x01\\x02\\x000\\xffc1j\\x00\\x00c\\xff88u(\\xffc1j\\x00\\xff98ok\\x00\\x0c\\x00\\x0e\\x00\\xfff0\\xffbfj\\x00xCvup\\xffc2h\\x00\\xffd0\\x17\\xff83u\\x0c\\x18\\xff9au$\\xfff3j\\x05\\x1cc\\xff88u" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 7326 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000004b8" }, { "name": "ObjectAttributesName", "value": "CustomAttributes" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CustomAttributes" } ], "repeated": 0, "id": 7327 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006cd000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7328 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7582b908", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 7329 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7582b908", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b0" } ], "repeated": 0, "id": 7330 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x753ca7ea", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000004bc" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 7331 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x753bb942", "parentcaller": "0x753bb8d6", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7332 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006ce000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7333 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b8f11f", "parentcaller": "0x75817b2e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x75760000" } ], "repeated": 0, "id": 7334 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006cf000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7335 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x758525c3", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000004c4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 7336 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75bab09e", "parentcaller": "0x75b9491b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056c0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7337 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b8fb07", "parentcaller": "0x75babec1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c8" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 7338 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b94155", "parentcaller": "0x75b944d3", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 7339 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b940c6", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c8" }, { "name": "Milliseconds", "value": "4000" } ], "repeated": 0, "id": 7340 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75bab09e", "parentcaller": "0x75b94234", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056d0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7341 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b94290", "parentcaller": "0x75b94270", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c8" } ], "repeated": 0, "id": 7342 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x758899e4", "parentcaller": "0x76f3101f", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000032A-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000149-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7343 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7584d2e3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7344 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7345 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7346 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "Interface\\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}" } ], "repeated": 0, "id": 7347 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Interface\\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}" } ], "repeated": 0, "id": 7348 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7349 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7350 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xdfj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xdfd\\xdfX\\xdf\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x00\\xe2j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7351 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7352 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000004ce" }, { "name": "ObjectAttributesName", "value": "ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7353 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7354 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7355 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xdfj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xdf<\\xdf0\\xdf\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xe1j\\x05\\xbc^\\xb8u\\xd2\\x04\\x00\\x00" } ], "repeated": 0, "id": 7356 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7357 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd35", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d2" } ], "repeated": 0, "id": 7358 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd41", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ce" } ], "repeated": 0, "id": 7359 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7360 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7361 }, { "timestamp": "2026-06-29 22:15:04,812", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000032e" }, { "name": "ObjectAttributesName", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 7362 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 7363 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7364 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7365 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xd3j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xd4\\xe4\\xd3\\xd8\\xd3\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x80\\xd6j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7366 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 7367 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004ce" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 7368 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x757fcbd0", "parentcaller": "0x757fcb80", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 1, "id": 7369 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7370 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xd2j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x1c\\xd3\\xcc\\xd2\\xc0\\xd2\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02h\\xd5j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7371 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } ], "repeated": 0, "id": 7372 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7373 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7374 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xd2j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xd2\\xa4\\xd2\\x98\\xd2\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xd5j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7375 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } ], "repeated": 0, "id": 7376 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7377 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7378 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xd2j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xd2\\xa4\\xd2\\x98\\xd2\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xd5j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7379 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } ], "repeated": 0, "id": 7380 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7381 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7382 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8\\xd2j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x84\\xd34\\xd3(\\xd3\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xd0\\xd5j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7383 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" } ], "repeated": 0, "id": 7384 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000004ce" }, { "name": "ObjectAttributesName", "value": "InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" } ], "repeated": 0, "id": 7385 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7386 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7387 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xd2j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xd2L\\xd2@\\xd2\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xd4j\\x05\\xbc^\\xb8u\\xd2\\x04\\x00\\x00" } ], "repeated": 0, "id": 7388 }, { "timestamp": "2026-06-29 22:15:04,828", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" } ], "repeated": 0, "id": 7389 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7390 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7391 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xd2j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xd2t\\xd2h\\xd2\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xd5j\\x05\\xbc^\\xb8u\\xd2\\x04\\x00\\x00" } ], "repeated": 0, "id": 7392 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" } ], "repeated": 0, "id": 7393 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7394 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7395 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xd2j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xd2t\\xd2h\\xd2\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xd5j\\x05\\xbc^\\xb8u\\xd2\\x04\\x00\\x00" } ], "repeated": 0, "id": 7396 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" } ], "repeated": 0, "id": 7397 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7398 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7399 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xd1j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xd2,\\xd2 \\xd2\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xd4j\\x05\\xbc^\\xb8u\\xd2\\x04\\x00\\x00" } ], "repeated": 0, "id": 7400 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" } ], "repeated": 0, "id": 7401 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x757fd74c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d2" } ], "repeated": 0, "id": 7402 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7403 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7404 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xd2j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x1c\\xd3\\xcc\\xd2\\xc0\\xd2\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00h\\xd5j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7405 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 7406 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004ce" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 7407 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7408 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7409 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xd2j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x1c\\xd3\\xcc\\xd2\\xc0\\xd2\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00h\\xd5j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7410 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 7411 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004ce" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 7412 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x757fc97c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ce" } ], "repeated": 0, "id": 7413 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7414 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 7415 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7416 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7417 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000032e" }, { "name": "ObjectAttributesName", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 7418 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 7419 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7420 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7421 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xcfj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xdc\\xcf\\x8c\\xcf\\x80\\xcf\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00(\\xd2j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7422 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 7423 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004ce" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 7424 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x757fcbd0", "parentcaller": "0x757fcb80", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 1, "id": 7425 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7426 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xcej\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xcet\\xceh\\xce\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xd1j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7427 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } ], "repeated": 0, "id": 7428 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7429 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7430 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xcej\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xceL\\xce@\\xce\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xd0j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7431 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } ], "repeated": 0, "id": 7432 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7433 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7434 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xcej\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xceL\\xce@\\xce\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xd0j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7435 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } ], "repeated": 0, "id": 7436 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7437 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7438 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xcej\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xcf\\xdc\\xce\\xd0\\xce\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00x\\xd1j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7439 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" } ], "repeated": 0, "id": 7440 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000004ce" }, { "name": "ObjectAttributesName", "value": "InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" } ], "repeated": 0, "id": 7441 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7442 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7443 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb8\\xcdj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00D\\xce\\xf4\\xcd\\xe8\\xcd\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x90\\xd0j\\x05\\xbc^\\xb8u\\xd2\\x04\\x00\\x00" } ], "repeated": 0, "id": 7444 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" } ], "repeated": 0, "id": 7445 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7446 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7447 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xcdj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xce\\x1c\\xce\\x10\\xce\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xd0j\\x05\\xbc^\\xb8u\\xd2\\x04\\x00\\x00" } ], "repeated": 0, "id": 7448 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" } ], "repeated": 0, "id": 7449 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7450 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7451 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xcdj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xce\\x1c\\xce\\x10\\xce\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xd0j\\x05\\xbc^\\xb8u\\xd2\\x04\\x00\\x00" } ], "repeated": 0, "id": 7452 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" } ], "repeated": 0, "id": 7453 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7454 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7455 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x98\\xcdj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00$\\xce\\xd4\\xcd\\xc8\\xcd\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02p\\xd0j\\x05\\xbc^\\xb8u\\xd2\\x04\\x00\\x00" } ], "repeated": 0, "id": 7456 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32" } ], "repeated": 0, "id": 7457 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x757fd74c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d2" } ], "repeated": 0, "id": 7458 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7459 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7460 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xcej\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xcet\\xceh\\xce\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\xd1j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7461 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 7462 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004ce" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 7463 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7464 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7465 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xcej\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xcet\\xceh\\xce\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\xd1j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7466 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 7467 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004ce" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 7468 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7469 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7470 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xcdj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xce$\\xce\\x18\\xce\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xc0\\xd0j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7471 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer32" } ], "repeated": 0, "id": 7472 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000004ce" }, { "name": "ObjectAttributesName", "value": "LocalServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer32" } ], "repeated": 0, "id": 7473 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7474 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7475 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xcdj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xcd\\xa4\\xcd\\x98\\xcd\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xd0j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7476 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } ], "repeated": 0, "id": 7477 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7478 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7479 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xcdj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xce\\xdc\\xcd\\xd0\\xcd\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00x\\xd0j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7480 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer" } ], "repeated": 0, "id": 7481 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004ce" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer" } ], "repeated": 0, "id": 7482 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7483 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7484 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000032e" }, { "name": "ObjectAttributesName", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 7485 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 7486 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7487 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7488 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xcej\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xcf\\xdc\\xce\\xd0\\xce\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00x\\xd1j\\x05\\xbc^\\xb8u\\xd2\\x04\\x00\\x00" } ], "repeated": 0, "id": 7489 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\Elevation" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\Elevation" } ], "repeated": 0, "id": 7490 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000004d2" }, { "name": "ObjectAttributesName", "value": "Elevation" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\Elevation" } ], "repeated": 0, "id": 7491 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7587cad3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d2" } ], "repeated": 0, "id": 7492 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x757fc97c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ce" } ], "repeated": 0, "id": 7493 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7494 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7495 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 7496 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 7497 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7498 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7499 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xdcj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xdd\\x04\\xdd\\xf8\\xdc\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xa0\\xdfj\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7500 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 7501 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000004ce" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 7502 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x758117e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ce" } ], "repeated": 0, "id": 7503 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7504 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 7505 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "Windows.StateRepositoryPS.dll" } ], "repeated": 0, "id": 7506 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll" } ], "repeated": 0, "id": 7507 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f5e5df", "parentcaller": "0x76f5e155", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004cc" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7508 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f5e61c", "parentcaller": "0x76f5e155", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004d0" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004cc" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\Windows.StateRepositoryPS.dll" } ], "repeated": 0, "id": 7509 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004d0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73df0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00093000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7510 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7511 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7512 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73e71000" }, { "name": "ModuleName", "value": "Windows.StateRepositoryPS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7513 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73e71000" }, { "name": "ModuleName", "value": "Windows.StateRepositoryPS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7514 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f5e670", "parentcaller": "0x76f5e155", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d0" } ], "repeated": 0, "id": 7515 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f5e678", "parentcaller": "0x76f5e155", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004cc" } ], "repeated": 0, "id": 7516 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7517 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 7518 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7519 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll" } ], "repeated": 0, "id": 7520 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004cc" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7521 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004cc" } ], "repeated": 0, "id": 7522 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryPS" }, { "name": "DllBase", "value": "0x73df0000" } ], "repeated": 0, "id": 7523 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f4dd42", "parentcaller": "0x76f51843", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\Windows.StateRepositoryPS" }, { "name": "BaseAddress", "value": "0x73df0000" }, { "name": "InitRoutine", "value": "0x73e6cac0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 7524 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7525 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 7526 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7527 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7528 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}" } ], "repeated": 0, "id": 7529 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}" } ], "repeated": 0, "id": 7530 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7531 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7532 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xdej\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xdf$\\xdf\\x18\\xdf\\xce\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xc0\\xe1j\\x05\\xbc^\\xb8u\\xce\\x04\\x00\\x00" } ], "repeated": 0, "id": 7533 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7534 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000004ce" }, { "name": "ObjectAttributesName", "value": "ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7535 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7536 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7537 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xdej\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xdf\\xfc\\xde\\xf0\\xde\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xe1j\\x05\\xbc^\\xb8u\\xd2\\x04\\x00\\x00" } ], "repeated": 0, "id": 7538 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7539 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd35", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d2" } ], "repeated": 0, "id": 7540 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd41", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ce" } ], "repeated": 0, "id": 7541 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x758383c5", "parentcaller": "0x75838242", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7542 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f561ea", "parentcaller": "0x75ba9549", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004cc" } ], "repeated": 0, "id": 7543 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f56211", "parentcaller": "0x75ba9549", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d0" } ], "repeated": 0, "id": 7544 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x753bb942", "parentcaller": "0x753bb8d6", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7545 }, { "timestamp": "2026-06-29 22:15:04,843", "thread_id": "408", "caller": "0x76f679e9", "parentcaller": "0x753bdc27", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7546 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7547 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7548 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "Interface\\{89BC3F49-F8D9-5103-BA13-DE497E609167}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{89BC3F49-F8D9-5103-BA13-DE497E609167}" } ], "repeated": 0, "id": 7549 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Interface\\{89BC3F49-F8D9-5103-BA13-DE497E609167}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{89BC3F49-F8D9-5103-BA13-DE497E609167}" } ], "repeated": 0, "id": 7550 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7551 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7552 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xe6j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xe6\\xa4\\xe6\\x98\\xe6\\xd6\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00@\\xe9j\\x05\\xbc^\\xb8u\\xd6\\x04\\x00\\x00" } ], "repeated": 0, "id": 7553 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7554 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000004d6" }, { "name": "ObjectAttributesName", "value": "ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7555 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7556 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7557 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xe6j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xcc\\xe6|\\xe6p\\xe6\\xda\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x18\\xe9j\\x05\\xbc^\\xb8u\\xda\\x04\\x00\\x00" } ], "repeated": 0, "id": 7558 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7559 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd35", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004da" } ], "repeated": 0, "id": 7560 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd41", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d6" } ], "repeated": 0, "id": 7561 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7562 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 7563 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7564 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 7565 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x75ba4eeb", "parentcaller": "0x755fd75f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x10!\\x00\\xa4\\x0c\\x00\\x00\\x98\\x01\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "408" } ], "repeated": 0, "id": 7566 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7565c000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7567 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "408", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7565c000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7568 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7569 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d8" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\SystemPropertyHandlers" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\SystemPropertyHandlers" } ], "repeated": 0, "id": 7570 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d8" } ], "repeated": 0, "id": 7571 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7572 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.exe" } ], "repeated": 0, "id": 7573 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 7574 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7575 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7576 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7577 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\OverrideFileSystemProperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\OverrideFileSystemProperties" } ], "repeated": 0, "id": 7578 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\OverrideFileSystemProperties" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\OverrideFileSystemProperties" } ], "repeated": 0, "id": 7579 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7580 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7581 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7582 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 7583 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 7584 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7585 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7586 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xe5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xe6\\x04\\xe6\\xf8\\xe5\\xde\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xe8\\xec\\x04\\xbc^\\xb8u\\xde\\x04\\x00\\x00" } ], "repeated": 0, "id": 7587 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 7588 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7589 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7590 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xe5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xe6\\x04\\xe6\\xf8\\xe5\\xde\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xe8\\xec\\x04\\xbc^\\xb8u\\xde\\x04\\x00\\x00" } ], "repeated": 0, "id": 7591 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 7592 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7593 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7594 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7595 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "ExplorerCLSIDFlags\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\ExplorerCLSIDFlags\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 7596 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\ExplorerCLSIDFlags\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\ExplorerCLSIDFlags\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 7597 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7598 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7599 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xe5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xe6\\x04\\xe6\\xf8\\xe5\\xde\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xe8\\xec\\x04\\xbc^\\xb8u\\xde\\x04\\x00\\x00" } ], "repeated": 0, "id": 7600 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 7601 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7602 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7603 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xe5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xe6\\x04\\xe6\\xf8\\xe5\\xde\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xe8\\xec\\x04\\xbc^\\xb8u\\xde\\x04\\x00\\x00" } ], "repeated": 0, "id": 7604 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 7605 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7489218a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" } ], "repeated": 0, "id": 7606 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7607 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 7608 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7609 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7610 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7611 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 7612 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 7613 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e76e2", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004dc" } ], "repeated": 0, "id": 7614 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e76e2", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 7615 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e76e2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 7616 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7617 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7618 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7619 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 7620 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 7621 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7622 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7623 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8\\xd7\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x84\\xd84\\xd8(\\xd8\\xde\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd0\\xda\\xec\\x04\\xbc^\\xb8u\\xde\\x04\\x00\\x00" } ], "repeated": 0, "id": 7624 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 7625 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" } ], "repeated": 0, "id": 7626 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7627 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 7628 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 7629 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 7630 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b78e93", "parentcaller": "0x75b78e42", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7631 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b78e6e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7632 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b9fd84", "parentcaller": "0x755fee90", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000004dc" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000004e0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 7633 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x755fefeb", "parentcaller": "0x755fbad3", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000004e0" }, { "name": "IoControlCode", "value": "0x00090240" }, { "name": "InBuffer", "value": "\\x01\\x00\\x0c\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 7634 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75623c8a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 7635 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7636 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7637 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7638 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004d8" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004dc" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7639 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000004d8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7640 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d8" } ], "repeated": 0, "id": 7641 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 7642 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7643 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7644 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7645 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7646 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7647 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004d8" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004dc" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7648 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000004d8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7649 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d8" } ], "repeated": 0, "id": 7650 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 7651 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7652 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7653 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7654 }, { "timestamp": "2026-06-29 22:15:04,859", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7655 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7656 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004dc" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7657 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000004f0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7658 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 7659 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 7660 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7661 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7662 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7663 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7664 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7665 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004dc" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7666 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000004f0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7667 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 7668 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 7669 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7670 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7671 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7672 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 7673 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 7674 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 7675 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7560077e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e0" } ], "repeated": 0, "id": 7676 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75600794", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e4" } ], "repeated": 0, "id": 7677 }, { "timestamp": "2026-06-29 22:15:04,875", "thread_id": "168", "caller": "0x76f32546", "parentcaller": "0x76f31f50", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e8" } ], "repeated": 0, "id": 7678 }, { "timestamp": "2026-06-29 22:15:04,890", "thread_id": "168", "caller": "0x764fb006", "parentcaller": "0x763e3f6b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Bcp47Langs" }, { "name": "DllBase", "value": "0x73d20000" } ], "repeated": 0, "id": 7679 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x764fb006", "parentcaller": "0x763e3f6b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\sppc" }, { "name": "DllBase", "value": "0x73cb0000" } ], "repeated": 0, "id": 7680 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x764fb006", "parentcaller": "0x763e3f6b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\SLC" }, { "name": "DllBase", "value": "0x73d00000" } ], "repeated": 0, "id": 7681 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x764fb006", "parentcaller": "0x763e3f6b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\USERENV" }, { "name": "DllBase", "value": "0x73cd0000" } ], "repeated": 0, "id": 7682 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x764fb006", "parentcaller": "0x763e3f6b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\appresolver" }, { "name": "DllBase", "value": "0x73d70000" } ], "repeated": 0, "id": 7683 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x73d96a6f", "parentcaller": "0x73da42d0", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7684 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x764fb006", "parentcaller": "0x763e3f6b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7685 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7686 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 7687 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 7688 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7689 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7690 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7691 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000050c" } ], "repeated": 0, "id": 7692 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 7693 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7694 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7695 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7696 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7697 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{A07034FD-6CAA-4954-AC3F-97A27216F98A}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A07034FD-6CAA-4954-AC3F-97A27216F98A}\\InProcServer32" } ], "repeated": 0, "id": 7698 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{A07034FD-6CAA-4954-AC3F-97A27216F98A}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A07034FD-6CAA-4954-AC3F-97A27216F98A}\\InProcServer32" } ], "repeated": 0, "id": 7699 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{a07034fd-6caa-4954-ac3f-97a27216f98a}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7700 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7701 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xe0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\\\xe1\\x0c\\xe1\\x00\\xe1\\x0e\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa8\\xe3\\xec\\x04\\xbc^\\xb8u\\x0e\\x05\\x00\\x00" } ], "repeated": 0, "id": 7702 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{a07034fd-6caa-4954-ac3f-97a27216f98a}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{a07034fd-6caa-4954-ac3f-97a27216f98a}\\InProcServer32" } ], "repeated": 0, "id": 7703 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050e" } ], "repeated": 0, "id": 7704 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7705 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7706 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7707 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "Applications\\InstallFlashPlayer.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Applications\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7708 }, { "timestamp": "2026-06-29 22:15:04,906", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Applications\\InstallFlashPlayer.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Applications\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7709 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75818b43", "parentcaller": "0x758189c5", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7710 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 7711 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x747c69db", "parentcaller": "0x747c62a0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7712 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7713 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 7714 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7715 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7716 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7717 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 7718 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 7719 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e76e2", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000050c" } ], "repeated": 0, "id": 7720 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e76e2", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 7721 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e76e2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7722 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7723 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7724 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7725 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 7726 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 7727 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7728 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7729 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8\\xdc\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x84\\xdd4\\xdd(\\xdd\\x0e\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd0\\xdf\\xec\\x04\\xbc^\\xb8u\\x0e\\x05\\x00\\x00" } ], "repeated": 0, "id": 7730 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 7731 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050e" } ], "repeated": 0, "id": 7732 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7733 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 7734 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 7735 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7736 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b78e93", "parentcaller": "0x75b78e42", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7737 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b78e6e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7738 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b9fd84", "parentcaller": "0x755fee90", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000050c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000514" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 7739 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x755fefeb", "parentcaller": "0x755fbad3", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x00000514" }, { "name": "IoControlCode", "value": "0x00090240" }, { "name": "InBuffer", "value": "\\x01\\x00\\x0c\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 7740 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75623c8a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7741 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7742 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7743 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7744 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000050c" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7745 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7746 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 7747 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7748 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7749 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7750 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7751 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7752 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7753 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000050c" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7754 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7755 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 7756 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7757 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7758 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7759 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7760 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7761 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7762 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000050c" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7763 }, { "timestamp": "2026-06-29 22:15:04,922", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7764 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 7765 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7766 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7767 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7768 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7769 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7770 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7771 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000050c" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7772 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7773 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 7774 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7775 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7776 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7777 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7778 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 7779 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 7780 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7781 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7560077e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000514" } ], "repeated": 0, "id": 7782 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75600794", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000510" } ], "repeated": 0, "id": 7783 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x76f32546", "parentcaller": "0x76f31f50", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 7784 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75818b43", "parentcaller": "0x758189c5", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7785 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b83595", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7786 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b86683", "parentcaller": "0x75b83600", "category": "registry", "api": "NtCreateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "Class", "value": "" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 7787 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b86ba5", "parentcaller": "0x75b8341e", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "ValueName", "value": "SlowContextMenuEntries" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Buffer", "value": "`$\\xb2!\\xea:i\\x10\\xa2\\xdc\\x08\\x00+00\\x9d\\x87\\x01\\x00\\x00\\xbd\\x0e\\x0cGs]XM\\x9c\\xed\\xe9\\x1e\"\\xe22\\x822\\x02\\x00\\x00\\x01\\x14\\x02\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00FR\\x02\\x00\\x00v\\x96\\xbf\\xe2\\x8f_\\C\\x97\\xeb\\x11`z[\\xed\\xf7\\xdb\\x00\\x00\\x00@\\xc7\\xa4{\\x81\\x9e\\xcf\\x11\\x99\\xd3\\x00\\xaa\\x00J\\xe87\\xaf\n\\x00\\x00" }, { "name": "BufferLength", "value": "100" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SlowContextMenuEntries" } ], "repeated": 0, "id": 7788 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764a16ea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 7789 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7790 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7791 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7792 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 7793 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 7794 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7652844f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000518" } ], "repeated": 0, "id": 7795 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 7796 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7652844f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 7797 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7798 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7799 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7800 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\InProcServer32" } ], "repeated": 0, "id": 7801 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\InProcServer32" } ], "repeated": 0, "id": 7802 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000051a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7803 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000051a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7804 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xee$\\xee\\x18\\xee\\x1a\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf0\\xec\\x04\\xbc^\\xb8u\\x1a\\x05\\x00\\x00" } ], "repeated": 0, "id": 7805 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\InProcServer32" } ], "repeated": 0, "id": 7806 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051a" } ], "repeated": 0, "id": 7807 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7808 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" } ], "repeated": 0, "id": 7809 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7810 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7811 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5\\x1e\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u\\x1e\\x04\\x00\\x00" } ], "repeated": 0, "id": 7812 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 7813 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7814 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7815 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7816 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" } ], "repeated": 0, "id": 7817 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" } ], "repeated": 0, "id": 7818 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000051a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7819 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000051a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7820 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf4\\x1a\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8u\\x1a\\x05\\x00\\x00" } ], "repeated": 0, "id": 7821 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}" } ], "repeated": 0, "id": 7822 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051a" } ], "repeated": 0, "id": 7823 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7824 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 7825 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8275", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 7826 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7827 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 7828 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8334", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 7829 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 3, "id": 7830 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x747c69db", "parentcaller": "0x747c62a0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7831 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7832 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 7833 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 7834 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 7835 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7836 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 7837 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7838 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7839 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7840 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 7841 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 7842 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e76e2", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000518" } ], "repeated": 0, "id": 7843 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e76e2", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 7844 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e76e2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 7845 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7846 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7847 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7848 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 7849 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 7850 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000051a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7851 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000051a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7852 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xd8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xd8d\\xd8X\\xd8\\x1a\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xdb\\xec\\x04\\xbc^\\xb8u\\x1a\\x05\\x00\\x00" } ], "repeated": 0, "id": 7853 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 7854 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051a" } ], "repeated": 0, "id": 7855 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006d3000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7856 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7857 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 7858 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 7859 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 7860 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b78e93", "parentcaller": "0x75b78e42", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7861 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b78e6e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7862 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b9fd84", "parentcaller": "0x755fee90", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000518" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000510" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 7863 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x755fefeb", "parentcaller": "0x755fbad3", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x00000510" }, { "name": "IoControlCode", "value": "0x00090240" }, { "name": "InBuffer", "value": "\\x01\\x00\\x0c\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 7864 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75623c8a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 7865 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7866 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7867 }, { "timestamp": "2026-06-29 22:15:04,937", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7868 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000518" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7869 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7870 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 7871 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 7872 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7873 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7874 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7875 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7876 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7877 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000518" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7878 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7879 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 7880 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 7881 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7882 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7883 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7884 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7885 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7886 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000518" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7887 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7888 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 7889 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 7890 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7891 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7892 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7893 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7894 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7895 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000518" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7896 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7897 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 7898 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 7899 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7900 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7901 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7560077e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000510" } ], "repeated": 0, "id": 7902 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75600794", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000514" } ], "repeated": 0, "id": 7903 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x76f32546", "parentcaller": "0x76f31f50", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7904 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7905 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 7906 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 7907 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7908 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7909 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 7910 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7911 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7912 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7913 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 7914 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 7915 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e76e2", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000050c" } ], "repeated": 0, "id": 7916 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e76e2", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 7917 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e76e2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7918 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7919 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7920 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7921 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 7922 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 7923 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7924 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7925 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xd8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xd8L\\xd8@\\xd8\\x0e\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xda\\xec\\x04\\xbc^\\xb8u\\x0e\\x05\\x00\\x00" } ], "repeated": 0, "id": 7926 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 7927 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050e" } ], "repeated": 0, "id": 7928 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7929 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 7930 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 7931 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7932 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b78e93", "parentcaller": "0x75b78e42", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7933 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b78e6e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7934 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b9fd84", "parentcaller": "0x755fee90", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000050c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000514" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 7935 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x755fefeb", "parentcaller": "0x755fbad3", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x00000514" }, { "name": "IoControlCode", "value": "0x00090240" }, { "name": "InBuffer", "value": "\\x01\\x00\\x0c\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 7936 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75623c8a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7937 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7938 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7939 }, { "timestamp": "2026-06-29 22:15:04,953", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7940 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000050c" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7941 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7942 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 7943 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7944 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7945 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7946 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7947 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7948 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7949 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000050c" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7950 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7951 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 7952 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7953 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7954 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7955 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7956 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7957 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7958 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000050c" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7959 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7960 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 7961 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7962 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7963 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7964 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7965 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7966 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7967 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000050c" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 7968 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7969 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 7970 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 7971 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7972 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 7973 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7560077e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000514" } ], "repeated": 0, "id": 7974 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75600794", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000510" } ], "repeated": 0, "id": 7975 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x76f32546", "parentcaller": "0x76f31f50", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 7976 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7977 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 7978 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7979 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7980 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7981 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 7982 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 7983 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e76e2", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000518" } ], "repeated": 0, "id": 7984 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e76e2", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 7985 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e76e2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 7986 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7987 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7988 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7989 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 7990 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 7991 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000051a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7992 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000051a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7993 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xd5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xd6\\xdc\\xd5\\xd0\\xd5\\x1a\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02x\\xd8\\xec\\x04\\xbc^\\xb8u\\x1a\\x05\\x00\\x00" } ], "repeated": 0, "id": 7994 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 7995 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051a" } ], "repeated": 0, "id": 7996 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7997 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 7998 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 7999 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 8000 }, { "timestamp": "2026-06-29 22:15:04,968", "thread_id": "168", "caller": "0x75b78e93", "parentcaller": "0x75b78e42", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8001 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b78e6e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8002 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b9fd84", "parentcaller": "0x755fee90", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000518" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000510" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 8003 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x755fefeb", "parentcaller": "0x755fbad3", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x00000510" }, { "name": "IoControlCode", "value": "0x00090240" }, { "name": "InBuffer", "value": "\\x01\\x00\\x0c\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 8004 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75623c8a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 8005 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8006 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8007 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8008 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000518" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8009 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8010 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 8011 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 8012 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8013 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8014 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8015 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8016 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8017 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000518" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8018 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000051c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8019 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 8020 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 8021 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8022 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8023 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8024 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8025 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000520" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8026 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000520" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8027 }, { "timestamp": "2026-06-29 22:15:04,984", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000518" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8028 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 8029 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 8030 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8031 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8032 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8033 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8034 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000520" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8035 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000520" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8036 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000518" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8037 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 8038 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 8039 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8040 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8041 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8042 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000520" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 8043 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000520" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 8044 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 8045 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7560077e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000510" } ], "repeated": 0, "id": 8046 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75600794", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000514" } ], "repeated": 0, "id": 8047 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x76f32546", "parentcaller": "0x76f31f50", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 8048 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x763e41d9", "parentcaller": "0x763e3e84", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8049 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8050 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 8051 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 8052 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 8053 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000050c" } ], "repeated": 0, "id": 8054 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8055 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 8056 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8057 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8058 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8059 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{A07034FD-6CAA-4954-AC3F-97A27216F98A}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A07034FD-6CAA-4954-AC3F-97A27216F98A}\\InProcServer32" } ], "repeated": 0, "id": 8060 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{A07034FD-6CAA-4954-AC3F-97A27216F98A}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A07034FD-6CAA-4954-AC3F-97A27216F98A}\\InProcServer32" } ], "repeated": 0, "id": 8061 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{a07034fd-6caa-4954-ac3f-97a27216f98a}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8062 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8063 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xde\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xdf\\xb4\\xde\\xa8\\xde\\x0e\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xe1\\xec\\x04\\xbc^\\xb8u\\x0e\\x05\\x00\\x00" } ], "repeated": 0, "id": 8064 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{a07034fd-6caa-4954-ac3f-97a27216f98a}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{a07034fd-6caa-4954-ac3f-97a27216f98a}\\InProcServer32" } ], "repeated": 0, "id": 8065 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050e" } ], "repeated": 0, "id": 8066 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8067 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8068 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8069 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "Applications\\InstallFlashPlayer.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Applications\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8070 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Applications\\InstallFlashPlayer.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Applications\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8071 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8072 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 8073 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8275", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 8074 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8075 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 8076 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8334", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 8077 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8078 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\QfePolicyDefinitions\\{A48F1A32-A340-11D1-BC6B-00A0C90312E1}\\{99431419-3869-4970-9AA5-1C5EA306DD79}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\QfePolicyDefinitions\\{A48F1A32-A340-11D1-BC6B-00A0C90312E1}\\{99431419-3869-4970-9AA5-1C5EA306DD79}" } ], "repeated": 0, "id": 8079 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "policymanager.dll" } ], "repeated": 0, "id": 8080 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\policymanager.dll" } ], "repeated": 0, "id": 8081 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e155", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\policymanager.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8082 }, { "timestamp": "2026-06-29 22:15:05,000", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e155", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000524" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\policymanager.dll" } ], "repeated": 0, "id": 8083 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000050c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73c20000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00083000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8084 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f4ffdf", "parentcaller": "0x76f50764", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73c9b000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8085 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8086 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8087 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73c99000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8088 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "msvcp110_win.dll" } ], "repeated": 0, "id": 8089 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e155", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 8090 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e155", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 8091 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\msvcp110_win.dll" } ], "repeated": 0, "id": 8092 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\msvcp110_win.dll" } ], "repeated": 0, "id": 8093 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e32b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msvcp110_win.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8094 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e32b", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000050c" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000524" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\msvcp110_win.dll" } ], "repeated": 0, "id": 8095 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000050c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73bb0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00065000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8096 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8097 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8098 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73c0f000" }, { "name": "ModuleName", "value": "msvcp110_win.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8099 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 8100 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 8101 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73c99000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8102 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f50eba", "parentcaller": "0x76f50d02", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00s\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x00D\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00R\\x00o\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00g\\x00\\\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00o\\x00s\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00W\\x00i\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00s\\x00\\\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00t\\x00 \\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00P\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00a\\x00m\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00a\\x00r\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8103 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73c0f000" }, { "name": "ModuleName", "value": "msvcp110_win.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8104 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8105 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 8106 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8107 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win.dll" } ], "repeated": 0, "id": 8108 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msvcp110_win.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8109 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 8110 }, { "timestamp": "2026-06-29 22:15:05,015", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win" }, { "name": "DllBase", "value": "0x73bb0000" } ], "repeated": 0, "id": 8111 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8112 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 8113 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8114 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\policymanager.dll" } ], "repeated": 0, "id": 8115 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\policymanager.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8116 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 8117 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\policymanager" }, { "name": "DllBase", "value": "0x73c20000" } ], "repeated": 0, "id": 8118 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x022c4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8119 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x022c5000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8120 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x022c7000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8121 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x76f312cf", "parentcaller": "0x76f3104a", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" } ], "repeated": 0, "id": 8122 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x76f31302", "parentcaller": "0x76f3104a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 8123 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x76f2effb", "parentcaller": "0x76f2eef0", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056b0000" }, { "name": "RegionSize", "value": "0x00008000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8124 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x76f2f042", "parentcaller": "0x76f2eef0", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056b0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8125 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x76f2f042", "parentcaller": "0x76f2eef0", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\msvcp110_win" }, { "name": "BaseAddress", "value": "0x73bb0000" }, { "name": "InitRoutine", "value": "0x73be6de0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 8126 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x76f4dd42", "parentcaller": "0x76f51843", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\policymanager" }, { "name": "BaseAddress", "value": "0x73c20000" }, { "name": "InitRoutine", "value": "0x73c351c0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 8127 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7565c000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8128 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7565c000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8129 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73c9b000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8130 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73c9b000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8131 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8132 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000510" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\PolicyManager\\default\\Start\\NoPinningToTaskbar" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\Start\\NoPinningToTaskbar" } ], "repeated": 0, "id": 8133 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x73c3365c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000510" } ], "repeated": 0, "id": 8134 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8135 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000510" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\Start" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\Start" } ], "repeated": 0, "id": 8136 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x73c326b9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000510" } ], "repeated": 0, "id": 8137 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8138 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 8139 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000524" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 8140 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 8141 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8142 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 8143 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8144 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8145 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8146 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 8147 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 8148 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e76e2", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000524" } ], "repeated": 0, "id": 8149 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e76e2", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8150 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e76e2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 8151 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8152 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8153 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8154 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 8155 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 8156 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000526" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8157 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000526" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8158 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xd8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xd8<\\xd80\\xd8&\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xda\\xec\\x04\\xbc^\\xb8u&\\x05\\x00\\x00" } ], "repeated": 0, "id": 8159 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 8160 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000526" } ], "repeated": 0, "id": 8161 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8162 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 8163 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000524" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 8164 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 8165 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b78e93", "parentcaller": "0x75b78e42", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8166 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b78e6e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8167 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b9fd84", "parentcaller": "0x755fee90", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000524" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000528" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 8168 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x755fefeb", "parentcaller": "0x755fbad3", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x00000528" }, { "name": "IoControlCode", "value": "0x00090240" }, { "name": "InBuffer", "value": "\\x01\\x00\\x0c\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 8169 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75623c8a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 8170 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8171 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8172 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8173 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000534" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000524" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8174 }, { "timestamp": "2026-06-29 22:15:05,031", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000534" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8175 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 8176 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 8177 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8178 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8179 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8180 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8181 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8182 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000534" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000524" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8183 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000534" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8184 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 8185 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 8186 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8187 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8188 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8189 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8190 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8191 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000534" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000524" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8192 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000534" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8193 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 8194 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 8195 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8196 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8197 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8198 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8199 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8200 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000534" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000524" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8201 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000534" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8202 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 8203 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 8204 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8205 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8206 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006d6000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8207 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7560077e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000528" } ], "repeated": 0, "id": 8208 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75600794", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052c" } ], "repeated": 0, "id": 8209 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x76f32546", "parentcaller": "0x76f31f50", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000530" } ], "repeated": 0, "id": 8210 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x73da55a4", "parentcaller": "0x73da61d5", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1F486A52-3CB1-48FD-8F50-B8DC300D9F9D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ECF31D61-E474-453C-BEE7-DE68E441C6D0" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8211 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7412e548", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 1, "id": 8212 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*Rajesh*AppData*Local*Microsoft*Windows*Caches*cversions.3" } ], "repeated": 0, "id": 8213 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000520" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*Rajesh*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro" } ], "repeated": 0, "id": 8214 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b9da9b", "parentcaller": "0x7412de75", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000520" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x04ecdf0c" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8215 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*Rajesh*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000030.db" } ], "repeated": 0, "id": 8216 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b9da9b", "parentcaller": "0x74122e49", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000518" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056f0000" }, { "name": "SectionOffset", "value": "0x04ecedb4" }, { "name": "ViewSize", "value": "0x0001a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8217 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x73da3ca7", "parentcaller": "0x73da6564", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 8218 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xeb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00 \\x00xh\\x02w\\x0c\\x00\\x00\\x00\\xb0\r\\x02\\x00h\\x00\\x00\\x00\\xd0\\x07\\x02\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\xfcj\\x00" } ], "repeated": 0, "id": 8219 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75b81199", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 8220 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000051c" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\" } ], "repeated": 0, "id": 8221 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000004f0" }, { "name": "ObjectAttributesName", "value": "Control Panel\\International\\User Profile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile" } ], "repeated": 0, "id": 8222 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x73d2e537", "parentcaller": "0x73d45898", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 8223 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73d63000" }, { "name": "ModuleName", "value": "Bcp47Langs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8224 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73d63000" }, { "name": "ModuleName", "value": "Bcp47Langs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8225 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x73d34fec", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d8" } ], "repeated": 0, "id": 8226 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x73d34ffa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8227 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xe6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00(\\xa7Ut\\x02\\x00\\x00\\x00\\xa0\\xb4\\xb9u\\xc0}\\xd3s \\x00\\x00\\x00\\x1d\\x00\\x16\\x00\\x08\\xe7\\xec\\x04\\xecZ\\x7f\\x02\\x00\\xe7\\xec\\x04\\x7fb\\xf4vb\\x00\\x00\\x00" } ], "repeated": 0, "id": 8228 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75b81199", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 8229 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b9530a", "parentcaller": "0x75b7c6d8", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000004f0" }, { "name": "ObjectAttributesName", "value": "Control Panel\\International\\Geo" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\Geo" } ], "repeated": 0, "id": 8230 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b9533d", "parentcaller": "0x75b7c6d8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8231 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b7c758", "parentcaller": "0x73da3d20", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d8" } ], "repeated": 0, "id": 8232 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8233 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 8234 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000004d8" }, { "name": "ObjectAttributesName", "value": "{e1e1ae7a-0000-0000-0000-300300000000}\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 8235 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7482326c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d8" } ], "repeated": 0, "id": 8236 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748232a4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8237 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8238 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "HandleName", "value": "C:\\" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 8239 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x006\\xean:\\xdd\\xac\\xd5\\x017\\xa7\\xfd\\xe3w\\x07\\xdd\\x01oE\\xfb\\xe3w\\x07\\xdd\\x01oE\\xfb\\xe3w\\x07\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfa\\x01\\x00\\x00\\x00\\x00\\x01\\x00U\\x00s\\x00e\\x00r\\x00s\\x00" }, { "name": "FileName", "value": "C:\\Users" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 8240 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8241 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004f0" } ], "repeated": 0, "id": 8242 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8243 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8244 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8245 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8246 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8247 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8248 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8249 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8250 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004f2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8251 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xd0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xd0<\\xd00\\xd0\\xf2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xd2\\xec\\x04\\xbc^\\xb8u\\xf2\\x04\\x00\\x00" } ], "repeated": 0, "id": 8252 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 8253 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f2" } ], "repeated": 0, "id": 8254 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 8255 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x747e8126", "parentcaller": "0x747e6b20", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8256 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004f0" } ], "repeated": 0, "id": 8257 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8258 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8259 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8260 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8261 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8262 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8263 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8264 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8265 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004f2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8266 }, { "timestamp": "2026-06-29 22:15:05,047", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xcc\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xcc\\xcc|\\xccp\\xcc\\xf2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x18\\xcf\\xec\\x04\\xbc^\\xb8u\\xf2\\x04\\x00\\x00" } ], "repeated": 0, "id": 8267 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 8268 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f2" } ], "repeated": 0, "id": 8269 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 8270 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x747e8126", "parentcaller": "0x74838450", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8271 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8272 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "HandleName", "value": "C:\\Users" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 8273 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8.\\xdf\\xeev\\x07\\xdd\\x01\\xf8m>Pz\\x07\\xdd\\x01\\xf8m>Pz\\x07\\xdd\\x01\\xf8m>Pz\\x07\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfbd\\x01\\x00\\x00\\x00\\x02\\x00R\\x00a\\x00j\\x00e\\x00s\\x00h\\x00" }, { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 8274 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8275 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004f0" } ], "repeated": 0, "id": 8276 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8277 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8278 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8279 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8280 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8281 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8282 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8283 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8284 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004f2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8285 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xcf\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xcfL\\xcf@\\xcf\\xf2\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xd1\\xec\\x04\\xbc^\\xb8u\\xf2\\x04\\x00\\x00" } ], "repeated": 0, "id": 8286 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 8287 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f2" } ], "repeated": 0, "id": 8288 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 8289 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x747e8126", "parentcaller": "0x74838450", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8290 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8291 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 8292 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\\xf5\\xe3\\xeev\\x07\\xdd\\x01\\xd4\\xf0!\\xefv\\x07\\xdd\\x01\\xd4\\xf0!\\xefv\\x07\\xdd\\x01\\xd4\\xf0!\\xefv\\x07\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06e\\x01\\x00\\x00\\x00\\x01\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 8293 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8294 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8295 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 8296 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe5U\\xe6\\xeev\\x07\\xdd\\x01l\\x90\\xc1\\xb2H\\x07\\xdd\\x01l\\x90\\xc1\\xb2H\\x07\\xdd\\x01l\\x90\\xc1\\xb2H\\x07\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19e\\x01\\x00\\x00\\x00\\x01\\x00L\\x00o\\x00c\\x00a\\x00l\\x00" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 8297 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8298 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8299 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 8300 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe5U\\xe6\\xeev\\x07\\xdd\\x01\\xdd\\xd5u\\xba\\x14\\x08\\xdd\\x01\\xdd\\xd5u\\xba\\x14\\x08\\xdd\\x01\\xdd\\xd5u\\xba\\x14\\x08\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1ae\\x01\\x00\\x00\\x00\\x01\\x00T\\x00e\\x00m\\x00p\\x00" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 8301 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8302 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8303 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 8304 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004f0" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdd\\xd5u\\xba\\x14\\x08\\xdd\\x01\\xdd\\xd5u\\xba\\x14\\x08\\xdd\\x01\\xdd\\xd5u\\xba\\x14\\x08\\xdd\\x01\\xdd\\xd5u\\xba\\x14\\x08\\xdd\\x01\\xa0\\\\x01\\x00\\x00\\x00\\x00\\x00\\x00`\\x01\\x00\\x00\\x00\\x00\\x00&\\x00\\x00\\x00,\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00^\\xac\\x01\\x00\\x00\\x00\\x01\\x00I\\x00n\\x00s\\x00t\\x00a\\x00l\\x00l\\x00F\\x00l\\x00a\\x00s\\x00h\\x00P\\x00l\\x00a\\x00y\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 8305 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8306 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x747c69db", "parentcaller": "0x747c62a0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8307 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8308 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 8309 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004f0" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 8310 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8311 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8312 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8313 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8314 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "Applications\\InstallFlashPlayer.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Applications\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8315 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Applications\\InstallFlashPlayer.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Applications\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8316 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x74130107", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 8317 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b9f5a5", "parentcaller": "0x74130122", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056f0000" }, { "name": "RegionSize", "value": "0x0001a000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 8318 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7412e548", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 8319 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x741301d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 8320 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75b9f5a5", "parentcaller": "0x741301e1", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 8321 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x75818b43", "parentcaller": "0x758189c5", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8322 }, { "timestamp": "2026-06-29 22:15:05,062", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 8323 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x747c69db", "parentcaller": "0x747c62a0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8324 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8325 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 8326 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8327 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8328 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8329 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 8330 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 8331 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e76e2", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000520" } ], "repeated": 0, "id": 8332 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e76e2", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8333 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e76e2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 8334 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8335 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8336 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8337 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 8338 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000520" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 8339 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000522" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8340 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000522" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8341 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8\\xdc\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x84\\xdd4\\xdd(\\xdd\"\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd0\\xdf\\xec\\x04\\xbc^\\xb8u\"\\x05\\x00\\x00" } ], "repeated": 0, "id": 8342 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 8343 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000522" } ], "repeated": 0, "id": 8344 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8345 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000520" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 8346 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000520" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 8347 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 8348 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b78e93", "parentcaller": "0x75b78e42", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8349 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b78e6e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000520" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8350 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b9fd84", "parentcaller": "0x755fee90", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000520" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000051c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 8351 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x755fefeb", "parentcaller": "0x755fbad3", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x0000051c" }, { "name": "IoControlCode", "value": "0x00090240" }, { "name": "InBuffer", "value": "\\x01\\x00\\x0c\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 8352 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75623c8a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 8353 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8354 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8355 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000520" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8356 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000520" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8357 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000004f0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8358 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8359 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 8360 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8361 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8362 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8363 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8364 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000520" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8365 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000520" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8366 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000004f0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8367 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8368 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 8369 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8370 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8371 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8372 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8373 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000520" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8374 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000520" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8375 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000004f0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8376 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8377 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 8378 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8379 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8380 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006d9000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8381 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8382 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8383 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000520" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8384 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004f0" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000520" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8385 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000004f0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8386 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 8387 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 8388 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8389 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8390 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8391 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000520" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 8392 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000520" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 8393 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 8394 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7560077e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 8395 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75600794", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8396 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f32546", "parentcaller": "0x76f31f50", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 8397 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75818b43", "parentcaller": "0x758189c5", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8398 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8fb07", "parentcaller": "0x7642e189", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "MutexName", "value": "Local\\SM0:3236:168:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 8399 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x7642e2a2", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 8400 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8401 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 8402 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7648444e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8403 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b94290", "parentcaller": "0x7648441e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 1, "id": 8404 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8405 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8406 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8407 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Taskband" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Taskband" } ], "repeated": 0, "id": 8408 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006da000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8409 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75617cfc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8410 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8411 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d8" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Taskband" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Taskband" } ], "repeated": 0, "id": 8412 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d8" } ], "repeated": 0, "id": 8413 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x747bb6a0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop" } ], "repeated": 0, "id": 8414 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c3dc4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 8415 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8416 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8417 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8418 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8419 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 8420 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8421 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8422 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8423 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\ShellFolder" } ], "repeated": 0, "id": 8424 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d8" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\ShellFolder" } ], "repeated": 0, "id": 8425 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8426 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8427 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe9\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xea\\xec\\xe9\\xe0\\xe9\\xda\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x88\\xec\\xec\\x04\\xbc^\\xb8u\\xda\\x04\\x00\\x00" } ], "repeated": 0, "id": 8428 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\ShellFolder" } ], "repeated": 0, "id": 8429 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8430 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8431 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe9\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xea\\xec\\xe9\\xe0\\xe9\\xda\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x88\\xec\\xec\\x04\\xbc^\\xb8u\\xda\\x04\\x00\\x00" } ], "repeated": 0, "id": 8432 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\ShellFolder" } ], "repeated": 0, "id": 8433 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8434 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8435 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe9\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xea\\xec\\xe9\\xe0\\xe9\\xda\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x88\\xec\\xec\\x04\\xbc^\\xb8u\\xda\\x04\\x00\\x00" } ], "repeated": 0, "id": 8436 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\ShellFolder" } ], "repeated": 0, "id": 8437 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\ShellFolder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8438 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8439 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe9\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xea\\xec\\xe9\\xe0\\xe9\\xda\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x88\\xec\\xec\\x04\\xbc^\\xb8u\\xda\\x04\\x00\\x00" } ], "repeated": 0, "id": 8440 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\ShellFolder" } ], "repeated": 0, "id": 8441 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747ba92e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004da" } ], "repeated": 0, "id": 8442 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8443 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\ShellFolder" } ], "repeated": 0, "id": 8444 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8445 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\ShellFolder" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\ShellFolder" } ], "repeated": 0, "id": 8446 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8447 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" } ], "repeated": 0, "id": 8448 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8449 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" } ], "repeated": 0, "id": 8450 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f78aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8451 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8452 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8453 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8454 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\Instance" } ], "repeated": 0, "id": 8455 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\Instance" } ], "repeated": 0, "id": 8456 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000051c" } ], "repeated": 0, "id": 8457 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8458 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 8459 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8460 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8461 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8462 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\InProcServer32" } ], "repeated": 0, "id": 8463 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\InProcServer32" } ], "repeated": 0, "id": 8464 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000051e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8465 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000051e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8466 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xe2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xe2\\xa4\\xe2\\x98\\xe2\\x1e\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xe5\\xec\\x04\\xbc^\\xb8u\\x1e\\x05\\x00\\x00" } ], "repeated": 0, "id": 8467 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\InProcServer32" } ], "repeated": 0, "id": 8468 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051e" } ], "repeated": 0, "id": 8469 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8470 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8471 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xe4\\xdc\\xe3\\xd0\\xe3\\xee\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02x\\xe6\\xec\\x04\\xbc^\\xb8u\\xee\\x04\\x00\\x00" } ], "repeated": 0, "id": 8472 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance" } ], "repeated": 0, "id": 8473 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e779e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004d8" } ], "repeated": 0, "id": 8474 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e779e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8475 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e779e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d8" } ], "repeated": 0, "id": 8476 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8477 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8478 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8479 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\\InProcServer32" } ], "repeated": 0, "id": 8480 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d8" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\\InProcServer32" } ], "repeated": 0, "id": 8481 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8482 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8483 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xd8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xd9\\xdc\\xd8\\xd0\\xd8\\xda\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02x\\xdb\\xec\\x04\\xbc^\\xb8u\\xda\\x04\\x00\\x00" } ], "repeated": 0, "id": 8484 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32" } ], "repeated": 0, "id": 8485 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8486 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8487 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xd8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xd9\\xdc\\xd8\\xd0\\xd8\\xda\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02x\\xdb\\xec\\x04\\xbc^\\xb8u\\xda\\x04\\x00\\x00" } ], "repeated": 0, "id": 8488 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32" } ], "repeated": 0, "id": 8489 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004da" } ], "repeated": 0, "id": 8490 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x747e780c", "parentcaller": "0x74839a38", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0E5AAE11-A475-4C5B-AB00-C66DE400274E" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "000214E6-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8491 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8492 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8493 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x18\\xe4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xa4\\xe4T\\xe4H\\xe4\\xee\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xf0\\xe6\\xec\\x04\\xbc^\\xb8u\\xee\\x04\\x00\\x00" } ], "repeated": 0, "id": 8494 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 8495 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000004ee" }, { "name": "ObjectAttributesName", "value": "InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 8496 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8497 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8498 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xe2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xe3\\xb4\\xe2\\xa8\\xe2\\xda\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xe5\\xec\\x04\\xbc^\\xb8u\\xda\\x04\\x00\\x00" } ], "repeated": 0, "id": 8499 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 8500 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8501 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8502 }, { "timestamp": "2026-06-29 22:15:05,078", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xe2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xe3\\xb4\\xe2\\xa8\\xe2\\xda\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xe5\\xec\\x04\\xbc^\\xb8u\\xda\\x04\\x00\\x00" } ], "repeated": 0, "id": 8503 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 8504 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8505 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8506 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xe2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xe3\\xb4\\xe2\\xa8\\xe2\\xda\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xe5\\xec\\x04\\xbc^\\xb8u\\xda\\x04\\x00\\x00" } ], "repeated": 0, "id": 8507 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 8508 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8509 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8510 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xe2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xe2\\x9c\\xe2\\x90\\xe2\\xda\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xe5\\xec\\x04\\xbc^\\xb8u\\xda\\x04\\x00\\x00" } ], "repeated": 0, "id": 8511 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 8512 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8513 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8514 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xe2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xe2\\x9c\\xe2\\x90\\xe2\\xda\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xe5\\xec\\x04\\xbc^\\xb8u\\xda\\x04\\x00\\x00" } ], "repeated": 0, "id": 8515 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 8516 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8517 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8518 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xe2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xe3\\xb4\\xe2\\xa8\\xe2\\xda\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xe5\\xec\\x04\\xbc^\\xb8u\\xda\\x04\\x00\\x00" } ], "repeated": 0, "id": 8519 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 8520 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8521 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8522 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xe2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xe2\\x9c\\xe2\\x90\\xe2\\xda\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xe5\\xec\\x04\\xbc^\\xb8u\\xda\\x04\\x00\\x00" } ], "repeated": 0, "id": 8523 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 8524 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8525 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004da" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8526 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xe2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xe2\\x9c\\xe2\\x90\\xe2\\xda\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xe5\\xec\\x04\\xbc^\\xb8u\\xda\\x04\\x00\\x00" } ], "repeated": 0, "id": 8527 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag" } ], "repeated": 0, "id": 8528 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8529 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\Instance" } ], "repeated": 0, "id": 8530 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8531 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\Instance" } ], "repeated": 0, "id": 8532 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000520" }, { "name": "DesiredAccess", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "ObjectAttributesHandle", "value": "0x0000051c" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\" } ], "repeated": 0, "id": 8533 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 8534 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000051c" }, { "name": "DesiredAccess", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "ObjectAttributesHandle", "value": "0x00000520" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\" } ], "repeated": 0, "id": 8535 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7621302b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004da" } ], "repeated": 0, "id": 8536 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 8537 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ee" } ], "repeated": 0, "id": 8538 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b86683", "parentcaller": "0x75b83600", "category": "registry", "api": "NtCreateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "ObjectAttributesHandle", "value": "0x0000051c" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\" }, { "name": "Class", "value": "" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 8539 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b86683", "parentcaller": "0x75b83600", "category": "registry", "api": "NtCreateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000520" }, { "name": "DesiredAccess", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "ObjectAttributesHandle", "value": "0x000004ec" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\" }, { "name": "Class", "value": "" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 8540 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c8fb6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8541 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004ec" } ], "repeated": 0, "id": 8542 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8543 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x10\\xe4\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8544 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000530" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 8545 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000530" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 8546 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000530" } ], "repeated": 0, "id": 8547 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x14\\xe2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff\\x94\\xe2\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0st\\xb8\\xe2\\xec\\x04\\xb4\\xe2\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 8548 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000530" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 8549 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000052c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000530" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 8550 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000530" } ], "repeated": 0, "id": 8551 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000530" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 8552 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000530" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 8553 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000530" } ], "repeated": 0, "id": 8554 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000530" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 8555 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000530" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 8556 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000530" } ], "repeated": 0, "id": 8557 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8558 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052c" } ], "repeated": 0, "id": 8559 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x747bb6a0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" } ], "repeated": 0, "id": 8560 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c3dc4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8561 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8562 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000052c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 8563 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000052c" }, { "name": "ObjectAttributesName", "value": "{e1e1ae7a-0000-0000-0000-300300000000}\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 8564 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7482326c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052c" } ], "repeated": 0, "id": 8565 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748232a4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8566 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8567 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "HandleName", "value": "C:\\" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 8568 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x006\\xean:\\xdd\\xac\\xd5\\x017\\xa7\\xfd\\xe3w\\x07\\xdd\\x01oE\\xfb\\xe3w\\x07\\xdd\\x01oE\\xfb\\xe3w\\x07\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfa\\x01\\x00\\x00\\x00\\x00\\x01\\x00U\\x00s\\x00e\\x00r\\x00s\\x00" }, { "name": "FileName", "value": "C:\\Users" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 8569 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8570 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004ec" } ], "repeated": 0, "id": 8571 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8572 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8573 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8574 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8575 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8576 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8577 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8578 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8579 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8580 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x18\\xc4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xa4\\xc4T\\xc4H\\xc4\\xee\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf0\\xc6\\xec\\x04\\xbc^\\xb8u\\xee\\x04\\x00\\x00" } ], "repeated": 0, "id": 8581 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 8582 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ee" } ], "repeated": 0, "id": 8583 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 8584 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x747e8126", "parentcaller": "0x747e6b20", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8585 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004ec" } ], "repeated": 0, "id": 8586 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8587 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8588 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8589 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8590 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8591 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8592 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8593 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8594 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8595 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xc0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xc0\\x94\\xc0\\x88\\xc0\\xee\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x020\\xc3\\xec\\x04\\xbc^\\xb8u\\xee\\x04\\x00\\x00" } ], "repeated": 0, "id": 8596 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 8597 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ee" } ], "repeated": 0, "id": 8598 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 8599 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x747e8126", "parentcaller": "0x74838450", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8600 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8601 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "HandleName", "value": "C:\\Users" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 8602 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8.\\xdf\\xeev\\x07\\xdd\\x01\\xf8m>Pz\\x07\\xdd\\x01\\xf8m>Pz\\x07\\xdd\\x01\\xf8m>Pz\\x07\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfbd\\x01\\x00\\x00\\x00\\x02\\x00R\\x00a\\x00j\\x00e\\x00s\\x00h\\x00" }, { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 8603 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8604 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004ec" } ], "repeated": 0, "id": 8605 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8606 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8607 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8608 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8609 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8610 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8611 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8612 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8613 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8614 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xc3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xc3d\\xc3X\\xc3\\xee\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xc6\\xec\\x04\\xbc^\\xb8u\\xee\\x04\\x00\\x00" } ], "repeated": 0, "id": 8615 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 8616 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ee" } ], "repeated": 0, "id": 8617 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 8618 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x747e8126", "parentcaller": "0x74838450", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8619 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8620 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 8621 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\\xf5\\xe3\\xeev\\x07\\xdd\\x01\\xd4\\xf0!\\xefv\\x07\\xdd\\x01\\xd4\\xf0!\\xefv\\x07\\xdd\\x01\\xd4\\xf0!\\xefv\\x07\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06e\\x01\\x00\\x00\\x00\\x01\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 8622 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8623 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8624 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 8625 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\\xf5\\xe3\\xeev\\x07\\xdd\\x01\\xc1\\xd2W\\xf7v\\x07\\xdd\\x01\\xc1\\xd2W\\xf7v\\x07\\xdd\\x01\\xc1\\xd2W\\xf7v\\x07\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07e\\x01\\x00\\x00\\x00\\x01\\x00R\\x00o\\x00a\\x00m\\x00i\\x00n\\x00g\\x00" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 8626 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8627 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8628 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 8629 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\\xf5\\xe3\\xeev\\x07\\xdd\\x01@\\xe9z\\xc3H\\x07\\xdd\\x01@\\xe9z\\xc3H\\x07\\xdd\\x01@\\xe9z\\xc3H\\x07\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00M\\x00I\\x00C\\x00R\\x00O\\x00S\\x00~\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08e\\x01\\x00\\x00\\x00\\x01\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 8630 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8631 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004ec" } ], "repeated": 0, "id": 8632 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8633 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8634 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8635 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8636 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8637 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8638 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8639 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8640 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8641 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x98\\xc1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00$\\xc2\\xd4\\xc1\\xc8\\xc1\\xee\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02p\\xc4\\xec\\x04\\xbc^\\xb8u\\xee\\x04\\x00\\x00" } ], "repeated": 0, "id": 8642 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 8643 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ee" } ], "repeated": 0, "id": 8644 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 8645 }, { "timestamp": "2026-06-29 22:15:05,093", "thread_id": "168", "caller": "0x747e8126", "parentcaller": "0x747e6b20", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8646 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75ba6b8e", "parentcaller": "0x747e82b1", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\desktop.ini" } ], "repeated": 0, "id": 8647 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f0bb", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 8648 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 8649 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8650 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8651 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7480f215", "parentcaller": "0x7480f05c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8652 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f254", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 8653 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 8654 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8655 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004ec" } ], "repeated": 0, "id": 8656 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8657 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8658 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8659 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8660 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8661 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8662 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8663 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8664 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8665 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xbd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xbe\\x14\\xbe\\x08\\xbe\\xee\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xc0\\xec\\x04\\xbc^\\xb8u\\xee\\x04\\x00\\x00" } ], "repeated": 0, "id": 8666 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 8667 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ee" } ], "repeated": 0, "id": 8668 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 8669 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x747e8126", "parentcaller": "0x74838450", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8670 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8671 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 8672 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe5U\\xe6\\xeev\\x07\\xdd\\x01\\xd6\\x85L\\x01w\\x07\\xdd\\x01\\x0c\\xfa^\\xf7v\\x07\\xdd\\x01\\x0c\\xfa^\\xf7v\\x07\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00I\\x00N\\x00T\\x00E\\x00R\\x00N\\x00~\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x17e\\x01\\x00\\x00\\x00\\x01\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00e\\x00t\\x00 \\x00E\\x00x\\x00p\\x00l\\x00o\\x00r\\x00e\\x00r\\x00" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 8673 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8674 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004ec" } ], "repeated": 0, "id": 8675 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8676 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8677 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8678 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8679 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8680 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8681 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8682 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8683 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8684 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xc0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xc1\\xe4\\xc0\\xd8\\xc0\\xee\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xc3\\xec\\x04\\xbc^\\xb8u\\xee\\x04\\x00\\x00" } ], "repeated": 0, "id": 8685 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 8686 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ee" } ], "repeated": 0, "id": 8687 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 8688 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x747e8126", "parentcaller": "0x74838450", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8689 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8690 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 8691 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe5U\\xe6\\xeev\\x07\\xdd\\x01\\xb0-\\x8f#y\\x07\\xdd\\x01\\xb0-\\x8f#y\\x07\\xdd\\x01\\xb0-\\x8f#y\\x07\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00Q\\x00U\\x00I\\x00C\\x00K\\x00L\\x00~\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18e\\x01\\x00\\x00\\x00\\x01\\x00Q\\x00u\\x00i\\x00c\\x00k\\x00 \\x00L\\x00a\\x00u\\x00n\\x00c\\x00h\\x00" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 8692 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8693 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004ec" } ], "repeated": 0, "id": 8694 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8695 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8696 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8697 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8698 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8699 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8700 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8701 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8702 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8703 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xc0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xc0\\x94\\xc0\\x88\\xc0\\xee\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x020\\xc3\\xec\\x04\\xbc^\\xb8u\\xee\\x04\\x00\\x00" } ], "repeated": 0, "id": 8704 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 8705 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ee" } ], "repeated": 0, "id": 8706 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 8707 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f0bb", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 8708 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 8709 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8710 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8711 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75baa9ec", "parentcaller": "0x7480f158", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x94\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8712 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b90e6c", "parentcaller": "0x7480f1a1", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" }, { "name": "Buffer", "value": "\r\n[LocalizedFileNames]\r\nWindow Switcher.lnk=@%SystemRoot%\\system32\\shell32.dll,-10114\r\nShows Desktop.lnk=@%SystemRoot%\\system32\\shell32.dll,-10113\r\n" }, { "name": "Length", "value": "148" } ], "repeated": 0, "id": 8713 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x7480f1f4", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "\\x0b\\x06\\xf7\\xeev\\x07\\xdd\\x01\\x84\\xf1\\x0f\\xf0|\\x07\\xdd\\x01\\xdew\\x12~\\xde\\xac\\xd5\\x01\\x0b\\x06\\xf7\\xeev\\x07\\xdd\\x01&\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8714 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7480f20b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8715 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7480f215", "parentcaller": "0x7480f05c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8716 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7487f9b5", "parentcaller": "0x7480f254", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 8717 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b9d52c", "parentcaller": "0x7487f9e1", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 8718 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75ba9071", "parentcaller": "0x7487fa0f", "category": "process", "api": "NtWriteVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00202175" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8719 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004ec" } ], "repeated": 0, "id": 8720 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8721 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8722 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8723 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8724 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8725 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8726 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8727 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8728 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8729 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x98\\xbc\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00$\\xbd\\xd4\\xbc\\xc8\\xbc\\xee\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02p\\xbf\\xec\\x04\\xbc^\\xb8u\\xee\\x04\\x00\\x00" } ], "repeated": 0, "id": 8730 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 8731 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ee" } ], "repeated": 0, "id": 8732 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 8733 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x747e8126", "parentcaller": "0x74838450", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8734 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006db000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8735 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8736 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b92728", "parentcaller": "0x747f100a", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 8737 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x747f10ac", "parentcaller": "0x747f0e26", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004ec" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03UV\\xf6v\\x07\\xdd\\x01'\\x96\\xf5\\xa1x\\x07\\xdd\\x01'\\x96\\xf5\\xa1x\\x07\\xdd\\x01'\\x96\\xf5\\xa1x\\x07\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00U\\x00S\\x00E\\x00R\\x00P\\x00I\\x00~\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00#f\\x01\\x00\\x00\\x00\\x01\\x00U\\x00s\\x00e\\x00r\\x00 \\x00P\\x00i\\x00n\\x00n\\x00e\\x00d\\x00" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 8738 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747f0e4c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8739 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004ec" } ], "repeated": 0, "id": 8740 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8741 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8742 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8743 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8744 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8745 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8746 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32" } ], "repeated": 0, "id": 8747 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8748 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8749 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xbf\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xbf\\xa4\\xbf\\x98\\xbf\\xee\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xc2\\xec\\x04\\xbc^\\xb8u\\xee\\x04\\x00\\x00" } ], "repeated": 0, "id": 8750 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32" } ], "repeated": 0, "id": 8751 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ee" } ], "repeated": 0, "id": 8752 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 8753 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x747e8126", "parentcaller": "0x74838450", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 83, "id": 8754 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006dc000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8755 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 51, "id": 8756 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8757 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Taskband" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Taskband" } ], "repeated": 0, "id": 8758 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006df000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8759 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75617cfc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8760 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 27, "id": 8761 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x764bee16", "parentcaller": "0x763e4fea", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8762 }, { "timestamp": "2026-06-29 22:15:05,109", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 8763 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x747c69db", "parentcaller": "0x747c62a0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8764 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8765 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000528" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 8766 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000528" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 8767 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000528" } ], "repeated": 0, "id": 8768 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8769 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 8770 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8771 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8772 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8773 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 8774 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 8775 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e76e2", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000528" } ], "repeated": 0, "id": 8776 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e76e2", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8777 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e76e2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000528" } ], "repeated": 0, "id": 8778 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8779 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8780 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8781 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 8782 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000528" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 8783 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000052a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8784 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000052a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8785 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x08\\xdf\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x94\\xdfD\\xdf8\\xdf*\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe0\\xe1\\xec\\x04\\xbc^\\xb8u*\\x05\\x00\\x00" } ], "repeated": 0, "id": 8786 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 8787 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052a" } ], "repeated": 0, "id": 8788 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8789 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000528" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 8790 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000528" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 8791 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000528" } ], "repeated": 0, "id": 8792 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b78e93", "parentcaller": "0x75b78e42", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8793 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b78e6e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000528" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8794 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b9fd84", "parentcaller": "0x755fee90", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000528" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000524" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 8795 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x755fefeb", "parentcaller": "0x755fbad3", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x00000524" }, { "name": "IoControlCode", "value": "0x00090240" }, { "name": "InBuffer", "value": "\\x01\\x00\\x0c\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 8796 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75623c8a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000528" } ], "repeated": 0, "id": 8797 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8798 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8799 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000528" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8800 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000538" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000528" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8801 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000538" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8802 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000538" } ], "repeated": 0, "id": 8803 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000528" } ], "repeated": 0, "id": 8804 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8805 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8806 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8807 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8808 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000528" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8809 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000538" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000528" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8810 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000538" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8811 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000538" } ], "repeated": 0, "id": 8812 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000528" } ], "repeated": 0, "id": 8813 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8814 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8815 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8816 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8817 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000528" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8818 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000538" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000528" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8819 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000538" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8820 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000538" } ], "repeated": 0, "id": 8821 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000528" } ], "repeated": 0, "id": 8822 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8823 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8824 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8825 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8826 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000528" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8827 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000538" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000528" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 8828 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000538" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8829 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000538" } ], "repeated": 0, "id": 8830 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000528" } ], "repeated": 0, "id": 8831 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8832 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 8833 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006e1000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8834 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7560077e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 8835 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75600794", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 8836 }, { "timestamp": "2026-06-29 22:15:05,125", "thread_id": "168", "caller": "0x76f32546", "parentcaller": "0x76f31f50", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000510" } ], "repeated": 0, "id": 8837 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x765c1d42", "parentcaller": "0x764f9f7e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F6B7425E-AF10-984F-9DD7-F14816179E2C" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "6C6C33EE-F1D4-1BDD-601D-0FA334303BC2" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8838 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004ec" } ], "repeated": 0, "id": 8839 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8840 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x10\\xf3\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8841 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8842 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000052c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion" } ], "repeated": 0, "id": 8843 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487cfea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052c" } ], "repeated": 0, "id": 8844 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8845 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004ec" } ], "repeated": 0, "id": 8846 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8847 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x10\\xf3\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8848 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8849 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75818b43", "parentcaller": "0x758189c5", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8850 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b83595", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8851 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b86683", "parentcaller": "0x75b83600", "category": "registry", "api": "NtCreateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "Class", "value": "" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 8852 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b86ba5", "parentcaller": "0x75b8341e", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "ValueName", "value": "SlowContextMenuEntries" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Buffer", "value": "`$\\xb2!\\xea:i\\x10\\xa2\\xdc\\x08\\x00+00\\x9d\\x87\\x01\\x00\\x00\\xbd\\x0e\\x0cGs]XM\\x9c\\xed\\xe9\\x1e\"\\xe22\\x822\\x02\\x00\\x00\\x01\\x14\\x02\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00FR\\x02\\x00\\x00N:\\xaa\\x90\\xba\\x1c3B\\xb8\\xbbSWs\\xd4\\x84I)\\x01\\x00\\x00@\\xc7\\xa4{\\x81\\x9e\\xcf\\x11\\x99\\xd3\\x00\\xaa\\x00J\\xe87\\xaf\n\\x00\\x00" }, { "name": "BufferLength", "value": "100" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SlowContextMenuEntries" } ], "repeated": 0, "id": 8853 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764a16ea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8854 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8855 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8856 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8857 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 8858 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 8859 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8860 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8861 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8862 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\Instance" } ], "repeated": 0, "id": 8863 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\Instance" } ], "repeated": 0, "id": 8864 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7643d37a", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004ec" } ], "repeated": 0, "id": 8865 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8866 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7643d37a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8867 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8868 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8869 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8870 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\InProcServer32" } ], "repeated": 0, "id": 8871 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\InProcServer32" } ], "repeated": 0, "id": 8872 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8873 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8874 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8875 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 8876 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 8877 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8878 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8879 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8880 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\Instance" } ], "repeated": 0, "id": 8881 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\Instance" } ], "repeated": 0, "id": 8882 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7643d37a", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004ec" } ], "repeated": 0, "id": 8883 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8884 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7643d37a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8885 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8886 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8887 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8888 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\InProcServer32" } ], "repeated": 0, "id": 8889 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\InProcServer32" } ], "repeated": 0, "id": 8890 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8891 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8892 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xf0t\\xf0h\\xf0\\xee\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xf3\\xec\\x04\\xbc^\\xb8u\\xee\\x04\\x00\\x00" } ], "repeated": 0, "id": 8893 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}\\InProcServer32" } ], "repeated": 0, "id": 8894 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8895 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8896 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xf0t\\xf0h\\xf0\\xee\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xf3\\xec\\x04\\xbc^\\xb8u\\xee\\x04\\x00\\x00" } ], "repeated": 0, "id": 8897 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}\\InProcServer32" } ], "repeated": 0, "id": 8898 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ee" } ], "repeated": 0, "id": 8899 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8900 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 8901 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8902 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 8903 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x7464071b", "parentcaller": "0x7464063c", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}\\InProcServer32" } ], "repeated": 0, "id": 8904 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x746407b1", "parentcaller": "0x7464063c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8905 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x746405c7", "parentcaller": "0x7643d12c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "ntshrui.dll" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 8906 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8907 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" } ], "repeated": 0, "id": 8908 }, { "timestamp": "2026-06-29 22:15:05,234", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8909 }, { "timestamp": "2026-06-29 22:15:05,250", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\ntshrui" }, { "name": "DllBase", "value": "0x73b50000" } ], "repeated": 0, "id": 8910 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F81E9010-6EA4-11CE-A7FF-00AA003CA9F6" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "000214E4-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8911 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8912 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}" } ], "repeated": 0, "id": 8913 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8914 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}" } ], "repeated": 0, "id": 8915 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8916 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8917 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5\\x1e\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u\\x1e\\x04\\x00\\x00" } ], "repeated": 0, "id": 8918 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 8919 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8920 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8921 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8922 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}" } ], "repeated": 0, "id": 8923 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000534" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}" } ], "repeated": 0, "id": 8924 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000536" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8925 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000536" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8926 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf46\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8u6\\x05\\x00\\x00" } ], "repeated": 0, "id": 8927 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" } ], "repeated": 0, "id": 8928 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000536" } ], "repeated": 0, "id": 8929 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8f11f", "parentcaller": "0x73b6518b", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 8930 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8fb07", "parentcaller": "0x73b695e6", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000534" }, { "name": "MutexName", "value": "Local\\SM0:3236:168:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 8931 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x73b650e7", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 8932 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8933 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 8934 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x73b63a2e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 8935 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b94290", "parentcaller": "0x73b647ee", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 1, "id": 8936 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8fb07", "parentcaller": "0x73b638b8", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "MutexName", "value": "Local\\SM0:3236:64:WilError_03" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 8937 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x73b650e7", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 8938 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8939 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000528" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 8940 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x73b63a2e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000528" } ], "repeated": 0, "id": 8941 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b94290", "parentcaller": "0x73b647ee", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 1, "id": 8942 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8943 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore" } ], "repeated": 0, "id": 8944 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004ec" } ], "repeated": 0, "id": 8945 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8946 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 8947 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8948 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8949 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8950 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{02DF6DB6-9405-4812-B3F6-500E8615B7AF}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{02DF6DB6-9405-4812-B3F6-500E8615B7AF}\\InProcServer32" } ], "repeated": 0, "id": 8951 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{02DF6DB6-9405-4812-B3F6-500E8615B7AF}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{02DF6DB6-9405-4812-B3F6-500E8615B7AF}\\InProcServer32" } ], "repeated": 0, "id": 8952 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{02df6db6-9405-4812-b3f6-500e8615b7af}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8953 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8954 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb8\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00D\\xe9\\xf4\\xe8\\xe8\\xe8\\xee\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x90\\xeb\\xec\\x04\\xbc^\\xb8u\\xee\\x04\\x00\\x00" } ], "repeated": 0, "id": 8955 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{02df6db6-9405-4812-b3f6-500e8615b7af}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{02df6db6-9405-4812-b3f6-500e8615b7af}\\InProcServer32" } ], "repeated": 0, "id": 8956 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ee" } ], "repeated": 0, "id": 8957 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000528" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000524" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\" } ], "repeated": 0, "id": 8958 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000538" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000528" }, { "name": "ObjectAttributesName", "value": "shell\\Windows.Share" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\shell\\Windows.Share" } ], "repeated": 0, "id": 8959 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000053c" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000538" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\shell\\Windows.Share\\" } ], "repeated": 0, "id": 8960 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8961 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8962 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8963 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\Instance" } ], "repeated": 0, "id": 8964 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\Instance" } ], "repeated": 0, "id": 8965 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8966 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8967 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8968 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\Instance" } ], "repeated": 0, "id": 8969 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\Instance" } ], "repeated": 0, "id": 8970 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e779e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000540" } ], "repeated": 0, "id": 8971 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e779e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 8972 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e779e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 8973 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8974 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8975 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8976 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\InProcServer32" } ], "repeated": 0, "id": 8977 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000540" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\InProcServer32" } ], "repeated": 0, "id": 8978 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000542" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{99D353BC-C813-41ec-8F28-EAE61E702E57}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8979 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000542" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8980 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xe8\\x9c\\xe8\\x90\\xe8B\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xeb\\xec\\x04\\xbc^\\xb8uB\\x05\\x00\\x00" } ], "repeated": 0, "id": 8981 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{99D353BC-C813-41ec-8F28-EAE61E702E57}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{99D353BC-C813-41ec-8F28-EAE61E702E57}\\InProcServer32" } ], "repeated": 0, "id": 8982 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000542" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{99D353BC-C813-41ec-8F28-EAE61E702E57}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 8983 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000542" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8984 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xe8\\x9c\\xe8\\x90\\xe8B\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xeb\\xec\\x04\\xbc^\\xb8uB\\x05\\x00\\x00" } ], "repeated": 0, "id": 8985 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{99D353BC-C813-41ec-8F28-EAE61E702E57}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{99D353BC-C813-41ec-8F28-EAE61E702E57}\\InProcServer32" } ], "repeated": 0, "id": 8986 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000542" } ], "repeated": 0, "id": 8987 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8988 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 8989 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8990 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 8991 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8992 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8993 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x7464071b", "parentcaller": "0x7464063c", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000540" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{99d353bc-c813-41ec-8f28-eae61e702e57}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{99d353bc-c813-41ec-8f28-eae61e702e57}\\InProcServer32" } ], "repeated": 0, "id": 8994 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x746407b1", "parentcaller": "0x7464063c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 8995 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x746405c7", "parentcaller": "0x747a98f5", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntshrui.dll" }, { "name": "ModuleHandle", "value": "0x73b50000" } ], "repeated": 0, "id": 8996 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8997 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000540" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" } ], "repeated": 0, "id": 8998 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 8999 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x747e78ce", "parentcaller": "0x74b29bd8", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "99D353BC-C813-41EC-8F28-EAE61E702E57" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9000 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9001 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{99D353BC-C813-41EC-8F28-EAE61E702E57}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{99D353BC-C813-41EC-8F28-EAE61E702E57}" } ], "repeated": 0, "id": 9002 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000053c" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\shell\\Windows.Share\\" } ], "repeated": 0, "id": 9003 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x73b5c419", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 9004 }, { "timestamp": "2026-06-29 22:15:05,265", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 9005 }, { "timestamp": "2026-06-29 22:15:05,297", "thread_id": "168", "caller": "0x73b7a24d", "parentcaller": "0x73b73744", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.FileExplorer.Common" }, { "name": "DllBase", "value": "0x73b00000" } ], "repeated": 0, "id": 9006 }, { "timestamp": "2026-06-29 22:15:05,297", "thread_id": "168", "caller": "0x73b7a24d", "parentcaller": "0x73b73744", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F324E4F9-8496-40B2-A1FF-9617C1C9AFFE" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "387FDB83-DD33-4995-9D2D-1F647E846705" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9007 }, { "timestamp": "2026-06-29 22:15:05,297", "thread_id": "168", "caller": "0x75b8f535", "parentcaller": "0x73b2f975", "category": "synchronization", "api": "NtOpenMutant", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "MutexName", "value": "Global\\SyncRootManager" } ], "repeated": 0, "id": 9008 }, { "timestamp": "2026-06-29 22:15:05,297", "thread_id": "168", "caller": "0x76f561ea", "parentcaller": "0x75ba9549", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" } ], "repeated": 0, "id": 9009 }, { "timestamp": "2026-06-29 22:15:05,297", "thread_id": "168", "caller": "0x76f56211", "parentcaller": "0x75ba9549", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 9010 }, { "timestamp": "2026-06-29 22:15:05,297", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x73b2fb0e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000524" } ], "repeated": 0, "id": 9011 }, { "timestamp": "2026-06-29 22:15:05,297", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x73b2fbe5", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "2" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 9012 }, { "timestamp": "2026-06-29 22:15:05,297", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x73b2fc1d", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "2" }, { "name": "TokenInformation", "value": "\\x0e\\x00\\x00\\x00\\xfcwm\\x00\\x07\\x00\\x00\\x00\\x18xm\\x00\\x07\\x00\\x00\\x00$xm\\x00\\x10\\x00\\x00\\x000xm\\x00\\x10\\x00\\x00\\x00@xm\\x00\\x07\\x00\\x00\\x00Pxm\\x00\\x07\\x00\\x00\\x00\\xm\\x00\\x07\\x00\\x00\\x00hxm\\x00\\x07\\x00\\x00\\x00txm\\x00\\x07\\x00\\x00\\x00\\x80xm\\x00\\x07\\x00\\x00\\x00\\x8cxm\\x00\\x07\\x00\\x00\\xc0\\xa0xm\\x00\\x07\\x00\\x00\\x00\\xacxm\\x00\\x07\\x00\\x00\\x00\\xbcxm\\x00`\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05r\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x0b\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x0f\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05" } ], "repeated": 0, "id": 9013 }, { "timestamp": "2026-06-29 22:15:05,297", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x73b2fbbd", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 9014 }, { "timestamp": "2026-06-29 22:15:05,297", "thread_id": "168", "caller": "0x75b8fb07", "parentcaller": "0x75b8f25e", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "MutexName", "value": "Global\\SyncRootManager" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9015 }, { "timestamp": "2026-06-29 22:15:05,297", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "iertutil.dll" } ], "repeated": 0, "id": 9016 }, { "timestamp": "2026-06-29 22:15:05,297", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\iertutil.dll" } ], "repeated": 0, "id": 9017 }, { "timestamp": "2026-06-29 22:15:05,297", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e32b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000544" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\iertutil.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9018 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e32b", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000510" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000544" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\iertutil.dll" } ], "repeated": 0, "id": 9019 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000510" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x738d0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0022b000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9020 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f4ffdf", "parentcaller": "0x76f50764", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73adb000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9021 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9022 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9023 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73ad8000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9024 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000510" } ], "repeated": 0, "id": 9025 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" } ], "repeated": 0, "id": 9026 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73ad8000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9027 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f50eba", "parentcaller": "0x76f50d02", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00F\\x000\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00B\\x00-\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00-\\x00A\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00F\\x000\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00E\\x00}\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00r\\x00o\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00O\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00\\\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x00e\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00I\\x00N\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00.\\x00E\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9028 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9029 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 9030 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9031 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\System32\\iertutil.dll" } ], "repeated": 0, "id": 9032 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000544" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\iertutil.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9033 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" } ], "repeated": 0, "id": 9034 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\iertutil" }, { "name": "DllBase", "value": "0x738d0000" } ], "repeated": 0, "id": 9035 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8f11f", "parentcaller": "0x73a77902", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 9036 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8f11f", "parentcaller": "0x73a77902", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\iertutil" }, { "name": "BaseAddress", "value": "0x738d0000" }, { "name": "InitRoutine", "value": "0x73a8af90" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 9037 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73b44000" }, { "name": "ModuleName", "value": "Windows.FileExplorer.Common.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9038 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73b44000" }, { "name": "ModuleName", "value": "Windows.FileExplorer.Common.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9039 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8f11f", "parentcaller": "0x73a779f9", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 9040 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f6ba44", "parentcaller": "0x73a77a2a", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Kernel-OneCore-DeviceFamilyID" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 9041 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8f218", "parentcaller": "0x73a77acb", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3236" } ], "repeated": 0, "id": 9042 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73adb000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9043 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73adb000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9044 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x73a77ba2", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000054c" } ], "repeated": 0, "id": 9045 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x73a819be", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 9046 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x73a819f3", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xf0jm\\x00`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00" } ], "repeated": 0, "id": 9047 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x73a77bc7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 9048 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8f218", "parentcaller": "0x73a77acb", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3236" } ], "repeated": 0, "id": 9049 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x73a82b67", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000054c" } ], "repeated": 0, "id": 9050 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x73a82b80", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xa4\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa4\\xf5\\xec\\x04\\xcbz\\xa7s\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xfaz\\xa7s\\x00\\x00\\x00\\x00\\xa8:\\xads" } ], "repeated": 0, "id": 9051 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x73a82bac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 9052 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75ba86f8", "parentcaller": "0x73a77d4d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 9053 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x73a77e0d", "parentcaller": "0x73a77d9b", "category": "filesystem", "api": "GetDiskFreeSpaceExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "DirectoryName", "value": "C:\\Windows\\system32" } ], "repeated": 0, "id": 9054 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x73a77ed2", "parentcaller": "0x73a77e95", "category": "filesystem", "api": "GetDiskFreeSpaceExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "DirectoryName", "value": "C:\\Windows" } ], "repeated": 0, "id": 9055 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x73a79085", "parentcaller": "0x73a7bce6", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "35" } ], "repeated": 0, "id": 9056 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9057 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Internet Explorer\\Main" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 9058 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9059 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Internet Explorer\\Main" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 9060 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 9061 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x73a77ba2", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000554" } ], "repeated": 0, "id": 9062 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x73a819be", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 9063 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x73a819f3", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x10jm\\x00`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00" } ], "repeated": 0, "id": 9064 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x73a77bc7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000554" } ], "repeated": 0, "id": 9065 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x73a78958", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000554" } ], "repeated": 0, "id": 9066 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x73a76921", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 9067 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x73a7898f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000554" } ], "repeated": 0, "id": 9068 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9069 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000554" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Internet Explorer\\Security" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security" } ], "repeated": 0, "id": 9070 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9071 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000558" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Internet Explorer\\Security" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Security" } ], "repeated": 0, "id": 9072 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9073 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Main" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 9074 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9075 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Main" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 9076 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b9fd84", "parentcaller": "0x73b2f9ac", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000524" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000524" }, { "name": "Options", "value": "0x00000001" } ], "repeated": 0, "id": 9077 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 9078 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9079 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000055c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 9080 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b86683", "parentcaller": "0x75b83600", "category": "registry", "api": "NtCreateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000560" }, { "name": "DesiredAccess", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "ObjectAttributesHandle", "value": "0x0000055c" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager\\" }, { "name": "Class", "value": "" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 9081 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000055c" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 9082 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x73b221c1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055c" } ], "repeated": 0, "id": 9083 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b94290", "parentcaller": "0x73b1b3b4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 1, "id": 9084 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9085 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9086 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9087 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000008", "pretty_value": "KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "ShareCommands\\shell" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\ShareCommands\\shell" } ], "repeated": 0, "id": 9088 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000008", "pretty_value": "KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\ShareCommands\\shell" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\ShareCommands\\shell" } ], "repeated": 0, "id": 9089 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73ba5000" }, { "name": "ModuleName", "value": "ntshrui.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9090 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73ba5000" }, { "name": "ModuleName", "value": "ntshrui.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9091 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x73b9c940", "parentcaller": "0x73b9ca0e", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x006b70d0", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "SC_MANAGER_CONNECT" } ], "repeated": 0, "id": 9092 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x73b9c954", "parentcaller": "0x73b9ca0e", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x006b72b0", "arguments": [ { "name": "ServiceControlManager", "value": "0x006b70d0" }, { "name": "ServiceName", "value": "LanmanServer" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9093 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73ba5000" }, { "name": "ModuleName", "value": "ntshrui.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9094 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73ba5000" }, { "name": "ModuleName", "value": "ntshrui.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9095 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x73b79d73", "parentcaller": "0x73b73801", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "49F371E1-8C5C-4D9C-9A3B-54A6827F513C" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "14AA4AB8-ABE3-4A07-A290-1D5DCCDD2FC2" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9096 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9097 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000055c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" } ], "repeated": 0, "id": 9098 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f78e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055c" } ], "repeated": 0, "id": 9099 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9100 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000055c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" } ], "repeated": 0, "id": 9101 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f78aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055c" } ], "repeated": 0, "id": 9102 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9103 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000055c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 9104 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8275", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055c" } ], "repeated": 0, "id": 9105 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9106 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000055c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 9107 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8334", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055c" } ], "repeated": 0, "id": 9108 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9109 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9110 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9111 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\Instance" } ], "repeated": 0, "id": 9112 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\Instance" } ], "repeated": 0, "id": 9113 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9114 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9115 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9116 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\Instance" } ], "repeated": 0, "id": 9117 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\Instance" } ], "repeated": 0, "id": 9118 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e779e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000548" } ], "repeated": 0, "id": 9119 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e779e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 9120 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e779e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" } ], "repeated": 0, "id": 9121 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9122 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9123 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9124 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\InProcServer32" } ], "repeated": 0, "id": 9125 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000548" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\InProcServer32" } ], "repeated": 0, "id": 9126 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9127 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9128 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xe7\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xdc\\xe7\\x8c\\xe7\\x80\\xe7J\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02(\\xea\\xec\\x04\\xbc^\\xb8uJ\\x05\\x00\\x00" } ], "repeated": 0, "id": 9129 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\InProcServer32" } ], "repeated": 0, "id": 9130 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9131 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9132 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xe7\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xdc\\xe7\\x8c\\xe7\\x80\\xe7J\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02(\\xea\\xec\\x04\\xbc^\\xb8uJ\\x05\\x00\\x00" } ], "repeated": 0, "id": 9133 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\InProcServer32" } ], "repeated": 0, "id": 9134 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054a" } ], "repeated": 0, "id": 9135 }, { "timestamp": "2026-06-29 22:15:05,312", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c3dc4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 9136 }, { "timestamp": "2026-06-29 22:15:05,328", "thread_id": "168", "caller": "0x73b7ea34", "parentcaller": "0x73b7d4bb", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "EDB5F444-CB8D-445A-A523-EC5AB6EA33C7" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "5BB62628-92E7-4F54-81A5-29C579341E13" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9137 }, { "timestamp": "2026-06-29 22:15:05,328", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c347c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9138 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c347c", "category": "__notification__", "api": "sysenter", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadIdentifier", "value": "168" }, { "name": "Module", "value": "KERNEL32.DLL" }, { "name": "Return Address", "value": "0x751524ac" } ], "repeated": 0, "id": 9139 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x747e78ce", "parentcaller": "0x747e7132", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "6311429E-2F1A-4777-880F-C7289FD10169" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "559B1911-D3AF-486E-B8BC-242B24DF0114" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9140 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9141 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{6311429E-2F1A-4777-880F-C7289FD10169}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{6311429E-2F1A-4777-880F-C7289FD10169}" } ], "repeated": 0, "id": 9142 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "srvcli.dll" } ], "repeated": 0, "id": 9143 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\srvcli.dll" } ], "repeated": 0, "id": 9144 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e32b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000055c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\srvcli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9145 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e32b", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000570" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000055c" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\srvcli.dll" } ], "repeated": 0, "id": 9146 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000570" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x738b0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0001d000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9147 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x76f4ffdf", "parentcaller": "0x76f50764", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x738ca000" }, { "name": "ModuleName", "value": "srvcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9148 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9149 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9150 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x738c9000" }, { "name": "ModuleName", "value": "srvcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9151 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000570" } ], "repeated": 0, "id": 9152 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055c" } ], "repeated": 0, "id": 9153 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x738c9000" }, { "name": "ModuleName", "value": "srvcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9154 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9155 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 9156 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9157 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\system32\\srvcli.dll" } ], "repeated": 0, "id": 9158 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000055c" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\srvcli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9159 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055c" } ], "repeated": 0, "id": 9160 }, { "timestamp": "2026-06-29 22:15:05,343", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\srvcli" }, { "name": "DllBase", "value": "0x738b0000" } ], "repeated": 0, "id": 9161 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9162 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000570" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "System\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters" } ], "repeated": 0, "id": 9163 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x738b4433", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000570" } ], "repeated": 0, "id": 9164 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x738b4433", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\srvcli" }, { "name": "BaseAddress", "value": "0x738b0000" }, { "name": "InitRoutine", "value": "0x738b4cb0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 9165 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73ba5000" }, { "name": "ModuleName", "value": "ntshrui.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9166 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73ba5000" }, { "name": "ModuleName", "value": "ntshrui.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9167 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x753b7025", "parentcaller": "0x753b738b", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000057c" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PIPE\\srvsvc" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9168 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x75bacaba", "parentcaller": "0x753b73b7", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000057c" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "FileInformationClass", "value": "23", "pretty_value": "FilePipeInformation" }, { "name": "FileInformation", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9169 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x753b6efe", "parentcaller": "0x753b73d3", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000057c" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "FileInformationClass", "value": "41", "pretty_value": "FileIoStatusBlockRangeInformation" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 9170 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f671cf", "parentcaller": "0x76f66fe6", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000057c" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "8\\x04\\x00\\x00\\xe8\\xfdi\\x00" } ], "repeated": 0, "id": 9171 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9172 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows NT\\Rpc" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc" } ], "repeated": 0, "id": 9173 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x753cf05a", "parentcaller": "0x753b783b", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000057c" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "Buffer", "value": "\\x05\\x00\\x0b\\x03\\x10\\x00\\x00\\x00t\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xb8\\x10\\xb8\\x10\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\xc8O2Kp\\x16\\xd3\\x01\\x12xZG\\xbfn\\xe1\\x88\\x03\\x00\\x00\\x00\\x04]\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\xc8O2Kp\\x16\\xd3\\x01\\x12xZG\\xbfn\\xe1\\x88\\x03\\x00\\x00\\x00,\\x1c\\xb7l\\x12\\x98@E\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00" }, { "name": "Length", "value": "116" } ], "repeated": 0, "id": 9174 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x753b6a2f", "parentcaller": "0x753b6a69", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x0000057c" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "Buffer", "value": "" }, { "name": "Length", "value": "0" } ], "repeated": 0, "id": 9175 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x753b7750", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9176 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x753b7750", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000451" }, { "name": "Milliseconds", "value": "900000" } ], "repeated": 0, "id": 9177 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x753b7750", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000451" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 9178 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "cscapi.dll" } ], "repeated": 0, "id": 9179 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\cscapi.dll" } ], "repeated": 0, "id": 9180 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\cscapi.dll" } ], "repeated": 0, "id": 9181 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e32b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000580" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\cscapi.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9182 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e32b", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000584" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000580" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\cscapi.dll" } ], "repeated": 0, "id": 9183 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000584" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x738a0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000e000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9184 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f4ffdf", "parentcaller": "0x76f50764", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x738ab000" }, { "name": "ModuleName", "value": "cscapi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9185 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9186 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9187 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x738aa000" }, { "name": "ModuleName", "value": "cscapi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9188 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x738aa000" }, { "name": "ModuleName", "value": "cscapi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9189 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000584" } ], "repeated": 0, "id": 9190 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" } ], "repeated": 0, "id": 9191 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9192 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 9193 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9194 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\cscapi.dll" } ], "repeated": 0, "id": 9195 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000580" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\cscapi.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9196 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" } ], "repeated": 0, "id": 9197 }, { "timestamp": "2026-06-29 22:15:05,359", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\cscapi" }, { "name": "DllBase", "value": "0x738a0000" } ], "repeated": 0, "id": 9198 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f4dd42", "parentcaller": "0x76f51843", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\cscapi" }, { "name": "BaseAddress", "value": "0x738a0000" }, { "name": "InitRoutine", "value": "0x738a3f20" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 9199 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006e6000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9200 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x75b94081", "parentcaller": "0x73b60456", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 9201 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x73b60493", "parentcaller": "0x76f3101f", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "134" } ], "repeated": 0, "id": 9202 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x73b81fbf", "parentcaller": "0x73b7dab7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "49F371E1-8C5C-4D9C-9A3B-54A6827F513C" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "B4CD448A-9C86-4466-9201-2E62105B87AE" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9203 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "netutils.dll" } ], "repeated": 0, "id": 9204 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\netutils.dll" } ], "repeated": 0, "id": 9205 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e32b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000584" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\netutils.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9206 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e32b", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000588" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000584" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\netutils.dll" } ], "repeated": 0, "id": 9207 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000588" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73890000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000b000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9208 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9209 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9210 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73898000" }, { "name": "ModuleName", "value": "netutils.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9211 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 9212 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000584" } ], "repeated": 0, "id": 9213 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73898000" }, { "name": "ModuleName", "value": "netutils.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9214 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9215 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 9216 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9217 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\system32\\netutils.dll" } ], "repeated": 0, "id": 9218 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000584" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\netutils.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9219 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000584" } ], "repeated": 0, "id": 9220 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\netutils" }, { "name": "DllBase", "value": "0x73890000" } ], "repeated": 0, "id": 9221 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f4dd42", "parentcaller": "0x76f51843", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\netutils" }, { "name": "BaseAddress", "value": "0x73890000" }, { "name": "InitRoutine", "value": "0x73892d00" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 9222 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73ba5000" }, { "name": "ModuleName", "value": "ntshrui.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9223 }, { "timestamp": "2026-06-29 22:15:05,375", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73ba5000" }, { "name": "ModuleName", "value": "ntshrui.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9224 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x753b7750", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000451" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 9225 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c347c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9226 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9227 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Sharing" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Sharing" } ], "repeated": 0, "id": 9228 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x76f51f50", "parentcaller": "0x76f38d78", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 9229 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x76f392db", "parentcaller": "0x76f39742", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\ntshrui.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9230 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x76f392db", "parentcaller": "0x76f39742", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000584" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\sysnative\\en-US\\ntshrui.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9231 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x76f3978c", "parentcaller": "0x76f3926e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000584" }, { "name": "FileName", "value": "C:\\Windows\\sysnative\\en-US\\ntshrui.dll.mui" } ], "repeated": 0, "id": 9232 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x76f397b4", "parentcaller": "0x76f3926e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056f0000" }, { "name": "SectionOffset", "value": "0x04ecec30" }, { "name": "ViewSize", "value": "0x00008000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9233 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x76f397c4", "parentcaller": "0x76f3926e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 9234 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75ba5297", "parentcaller": "0x75150f37", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000005a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x756192a0" }, { "name": "Parameter", "value": "0x04ecfa40" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "5064" }, { "name": "ProcessId", "value": "3236" }, { "name": "Module", "value": "SHCORE.dll" } ], "repeated": 0, "id": 9235 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75ba5297", "parentcaller": "0x75150f37", "category": "threading", "api": "CreateThread", "status": true, "return": "0x000005a8", "arguments": [ { "name": "StartRoutine", "value": "0x756192a0" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "Parameter", "value": "0x04ecfa40" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "5064" } ], "repeated": 0, "id": 9236 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 9237 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "5064", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9238 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "5064", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 9239 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7561a660", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 9240 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7561a66a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 9241 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b83595", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9242 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b86683", "parentcaller": "0x75b83600", "category": "registry", "api": "NtCreateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "Class", "value": "" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 9243 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b86ba5", "parentcaller": "0x75b8341e", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a4" }, { "name": "ValueName", "value": "SlowContextMenuEntries" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Buffer", "value": "`$\\xb2!\\xea:i\\x10\\xa2\\xdc\\x08\\x00+00\\x9d\\x87\\x01\\x00\\x00\\xbd\\x0e\\x0cGs]XM\\x9c\\xed\\xe9\\x1e\"\\xe22\\x822\\x02\\x00\\x00\\x01\\x14\\x02\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00FR\\x02\\x00\\x00N:\\xaa\\x90\\xba\\x1c3B\\xb8\\xbbSWs\\xd4\\x84I)\\x01\\x00\\x00@\\xc7\\xa4{\\x81\\x9e\\xcf\\x11\\x99\\xd3\\x00\\xaa\\x00J\\xe87\\xaf\n\\x00\\x00" }, { "name": "BufferLength", "value": "100" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SlowContextMenuEntries" } ], "repeated": 0, "id": 9244 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764a16ea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 9245 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9246 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9247 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9248 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 9249 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 9250 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7652844f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005a4" } ], "repeated": 0, "id": 9251 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 9252 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7652844f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 9253 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9254 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9255 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9256 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}\\InProcServer32" } ], "repeated": 0, "id": 9257 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}\\InProcServer32" } ], "repeated": 0, "id": 9258 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9259 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9260 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xee$\\xee\\x18\\xee\\xa6\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf0\\xec\\x04\\xbc^\\xb8u\\xa6\\x05\\x00\\x00" } ], "repeated": 0, "id": 9261 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}\\InProcServer32" } ], "repeated": 0, "id": 9262 }, { "timestamp": "2026-06-29 22:15:05,390", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a6" } ], "repeated": 0, "id": 9263 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9264 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000588" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 9265 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 9266 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9267 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 9268 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a0" } ], "repeated": 0, "id": 9269 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9270 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" } ], "repeated": 0, "id": 9271 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "5064", "caller": "0x73b9986d", "parentcaller": "0x73b99c3f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\shacct" }, { "name": "DllBase", "value": "0x73870000" } ], "repeated": 0, "id": 9272 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f78e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a0" } ], "repeated": 0, "id": 9273 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9274 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" } ], "repeated": 0, "id": 9275 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f78aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a0" } ], "repeated": 0, "id": 9276 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9277 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}" } ], "repeated": 0, "id": 9278 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9279 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9280 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5\\x1e\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u\\x1e\\x04\\x00\\x00" } ], "repeated": 0, "id": 9281 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 9282 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9283 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9284 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9285 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}" } ], "repeated": 0, "id": 9286 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}" } ], "repeated": 0, "id": 9287 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9288 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9289 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf4\\xa2\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8u\\xa2\\x05\\x00\\x00" } ], "repeated": 0, "id": 9290 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}" } ], "repeated": 0, "id": 9291 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a2" } ], "repeated": 0, "id": 9292 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7668a8d3", "category": "system", "api": "NtClose", "status": false, "return": "0xffffffffc0000008", "pretty_return": "INVALID_HANDLE", "arguments": [ { "name": "Handle", "value": "0x00000000" } ], "repeated": 0, "id": 9293 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9294 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9295 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9296 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 9297 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 9298 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7652844f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005a0" } ], "repeated": 0, "id": 9299 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 9300 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7652844f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a0" } ], "repeated": 0, "id": 9301 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9302 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9303 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9304 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}\\InProcServer32" } ], "repeated": 0, "id": 9305 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}\\InProcServer32" } ], "repeated": 0, "id": 9306 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9307 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9308 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xee$\\xee\\x18\\xee\\xa2\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf0\\xec\\x04\\xbc^\\xb8u\\xa2\\x05\\x00\\x00" } ], "repeated": 0, "id": 9309 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}\\InProcServer32" } ], "repeated": 0, "id": 9310 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a2" } ], "repeated": 0, "id": 9311 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 9312 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x747c69db", "parentcaller": "0x747c62a0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9313 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006e9000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9314 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "5064", "caller": "0x73b9986d", "parentcaller": "0x73b99c3f", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4F6BCD94-C2A5-42CE-8DBC-31E794BE4630" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3C708557-C99D-4FA3-9231-56518418B4E4" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9315 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9316 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}" } ], "repeated": 0, "id": 9317 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9318 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9319 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5\\x1e\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u\\x1e\\x04\\x00\\x00" } ], "repeated": 0, "id": 9320 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 9321 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9322 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9323 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9324 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}" } ], "repeated": 0, "id": 9325 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000588" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}" } ], "repeated": 0, "id": 9326 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000058a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9327 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000058a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9328 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf4\\x8a\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8u\\x8a\\x05\\x00\\x00" } ], "repeated": 0, "id": 9329 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}" } ], "repeated": 0, "id": 9330 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058a" } ], "repeated": 0, "id": 9331 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75818b43", "parentcaller": "0x758189c5", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9332 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9333 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9334 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9335 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 9336 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 9337 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9338 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9339 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9340 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\Instance" } ], "repeated": 0, "id": 9341 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\Instance" } ], "repeated": 0, "id": 9342 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7643d37a", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000588" } ], "repeated": 0, "id": 9343 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 9344 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7643d37a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 9345 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9346 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9347 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9348 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\InProcServer32" } ], "repeated": 0, "id": 9349 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000588" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\InProcServer32" } ], "repeated": 0, "id": 9350 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000058a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9351 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000058a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9352 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xf0t\\xf0h\\xf0\\x8a\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xf3\\xec\\x04\\xbc^\\xb8u\\x8a\\x05\\x00\\x00" } ], "repeated": 0, "id": 9353 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" } ], "repeated": 0, "id": 9354 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000058a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9355 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000058a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9356 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xf0t\\xf0h\\xf0\\x8a\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xf3\\xec\\x04\\xbc^\\xb8u\\x8a\\x05\\x00\\x00" } ], "repeated": 0, "id": 9357 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" } ], "repeated": 0, "id": 9358 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058a" } ], "repeated": 0, "id": 9359 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9360 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 9361 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9362 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 9363 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x7464071b", "parentcaller": "0x7464063c", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000588" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" } ], "repeated": 0, "id": 9364 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x746407b1", "parentcaller": "0x7464063c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 9365 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x746405c7", "parentcaller": "0x7643d12c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntshrui.dll" }, { "name": "ModuleHandle", "value": "0x73b50000" } ], "repeated": 0, "id": 9366 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9367 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" } ], "repeated": 0, "id": 9368 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 9369 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E2BF9676-5F8F-435C-97EB-11607A5BEDF7" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "000214E4-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9370 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9371 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}" } ], "repeated": 0, "id": 9372 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9373 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}" } ], "repeated": 0, "id": 9374 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9375 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9376 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5\\x1e\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u\\x1e\\x04\\x00\\x00" } ], "repeated": 0, "id": 9377 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 9378 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9379 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9380 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9381 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}" } ], "repeated": 0, "id": 9382 }, { "timestamp": "2026-06-29 22:15:05,406", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}" } ], "repeated": 0, "id": 9383 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005b2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9384 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005b2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9385 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf4\\xb2\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8u\\xb2\\x05\\x00\\x00" } ], "repeated": 0, "id": 9386 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}" } ], "repeated": 0, "id": 9387 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b2" } ], "repeated": 0, "id": 9388 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9389 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore" } ], "repeated": 0, "id": 9390 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b4" } ], "repeated": 0, "id": 9391 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 9392 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b4" } ], "repeated": 0, "id": 9393 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9394 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9395 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9396 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{02DF6DB6-9405-4812-B3F6-500E8615B7AF}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{02DF6DB6-9405-4812-B3F6-500E8615B7AF}\\InProcServer32" } ], "repeated": 0, "id": 9397 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005b4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{02DF6DB6-9405-4812-B3F6-500E8615B7AF}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{02DF6DB6-9405-4812-B3F6-500E8615B7AF}\\InProcServer32" } ], "repeated": 0, "id": 9398 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005b6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{02df6db6-9405-4812-b3f6-500e8615b7af}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9399 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005b6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9400 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb8\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00D\\xe9\\xf4\\xe8\\xe8\\xe8\\xb6\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x90\\xeb\\xec\\x04\\xbc^\\xb8u\\xb6\\x05\\x00\\x00" } ], "repeated": 0, "id": 9401 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{02df6db6-9405-4812-b3f6-500e8615b7af}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{02df6db6-9405-4812-b3f6-500e8615b7af}\\InProcServer32" } ], "repeated": 0, "id": 9402 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b6" } ], "repeated": 0, "id": 9403 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005b4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000005b0" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\" } ], "repeated": 0, "id": 9404 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005b8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000005b4" }, { "name": "ObjectAttributesName", "value": "shell\\Windows.ModernShare" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\shell\\Windows.ModernShare" } ], "repeated": 0, "id": 9405 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005bc" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x000005b8" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\shell\\Windows.ModernShare\\" } ], "repeated": 0, "id": 9406 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9407 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9408 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9409 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\Instance" } ], "repeated": 0, "id": 9410 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\Instance" } ], "repeated": 0, "id": 9411 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9412 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9413 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9414 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\Instance" } ], "repeated": 0, "id": 9415 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\Instance" } ], "repeated": 0, "id": 9416 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e779e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005c0" } ], "repeated": 0, "id": 9417 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e779e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 9418 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e779e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" } ], "repeated": 0, "id": 9419 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9420 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9421 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9422 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\InProcServer32" } ], "repeated": 0, "id": 9423 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\InProcServer32" } ], "repeated": 0, "id": 9424 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9425 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9426 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xe8\\x9c\\xe8\\x90\\xe8\\xc2\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xeb\\xec\\x04\\xbc^\\xb8u\\xc2\\x05\\x00\\x00" } ], "repeated": 0, "id": 9427 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" } ], "repeated": 0, "id": 9428 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9429 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9430 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xe8\\x9c\\xe8\\x90\\xe8\\xc2\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xeb\\xec\\x04\\xbc^\\xb8u\\xc2\\x05\\x00\\x00" } ], "repeated": 0, "id": 9431 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" } ], "repeated": 0, "id": 9432 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c2" } ], "repeated": 0, "id": 9433 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9434 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 9435 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9436 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 9437 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x7464071b", "parentcaller": "0x7464063c", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c0" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32" } ], "repeated": 0, "id": 9438 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x746407b1", "parentcaller": "0x7464063c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" } ], "repeated": 0, "id": 9439 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x746405c7", "parentcaller": "0x747a98f5", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntshrui.dll" }, { "name": "ModuleHandle", "value": "0x73b50000" } ], "repeated": 0, "id": 9440 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9441 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" } ], "repeated": 0, "id": 9442 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" } ], "repeated": 0, "id": 9443 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x747e78ce", "parentcaller": "0x74b29bd8", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E2BF9676-5F8F-435C-97EB-11607A5BEDF7" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9444 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9445 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "5064", "caller": "0x73b99893", "parentcaller": "0x73b99c3f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\IDStore" }, { "name": "DllBase", "value": "0x73840000" } ], "repeated": 0, "id": 9446 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000005bc" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\shell\\Windows.ModernShare\\" } ], "repeated": 0, "id": 9447 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x758817d7", "parentcaller": "0x75831999", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c4" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000004ac" }, { "name": "ObjectAttributesName", "value": "Windows.ApplicationModel.DataTransfer.DataTransferManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.DataTransfer.DataTransferManager" } ], "repeated": 0, "id": 9448 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75881887", "parentcaller": "0x75881832", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c4" }, { "name": "KeyInformation", "value": "\\xff8aX\\x17\\xffce}\\x07\\xffdd\\x01\\x00\\x00\\x00\\x00r\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00M\\x00o\\x00d\\x00e\\x00l\\x00.\\x00D\\x00a\\x00t\\x00a\\x00T\\x00r\\x00a\\x00n\\x00s\\x00f\\x00e\\x00r\\x00.\\x00D\\x00a\\x00t\\x00a\\x00T\\x00r\\x00a\\x00n\\x00s\\x00f\\x00e\\x00r\\x00M\\x00a\\x00n\\x00a\\x00g\\x00e\\x00r\\x00n\\x00\\xffde]\\xfff4v\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xff96j\\x00(\\xff96j\\x00>\\x00\\x00\\x00\\xffa8\\xfff3\\xffec\\x04#\\x0c\\xff83u\\x02\\x00\\x00\\x00\\xff93\\x0c\\xff83uT\\x18\\xff9au`\t\\xff83u\\xff90Kn\\x00\\xfff4\\x0c\\xff83u\\xff98\\xffff\\x7f\\x02\\xfffe'\\xffebi\\xff90Kn\\x00\\x01\\x00\\x00\\x00T\\x18\\xff9au\\x00\\x00\\x00\\x00>\\x00\\x00\\x00e\\x00\\x00\\x00`\t\\xff83u\\xfff0\\xff86\\xff89u \\xfff8\\x7f\\x02\\x03\\x00\\x00\\x00\\x7f\\x00\\x00\\x00\\xfff0\\xffcfh\\x00\\xffff\\x07\\x00\\x00e\\x00\\x00\\x00\\xffc0}~\\x02\\xffd0\\x10\\x02\\x00(\\xff96j\\x00\\xffb0O\\x02w8\\xfffb\\xff99u\\x00\\x00\\x00\\x00\\xff80>j\\x00e\\x00\\x00e>\\x00\\x00\\x00@\\xffad\\xfff7v \\x00\\x00\\x00\\x03\\x006\\x00H\\xfff3\\xffec\\x04T\\xffc2h\\x00 \\x00\\x00\\x00'\\x00/\\x00X\\xfff3\\xffec\\x04D?n\\x00P\\xfff3\\xffec\\x04\\x7fb\\xfff4vS\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\xffd0\\x07\\x02\\x00d\\x00\\x00\\x00\\xffdc\\xff82n\\x00P\\x00\\x00\\x00\\xffd0\\x07\\x02\\x00d\\x00\\x00\\x00@\\xffc2h\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfffel\\x000?n\\x00\\x00\\x00\\x00\\x00\\xfff0\\xffcfh\\x00\\xfff0\\xffcfh\\x00\\x00\\x00\\x00\\x00(\\xff96j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xffe0\\x01\\x02\\x00\\x00\\x00\\x00\\x00D\\x00\\x00\\x00|\\x0c\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00x\\x0c\\x02\\x00\\xffde]\\xfff4vp\\xfff3\\xffec\\x04\\xffde]\\xfff4v\\xfff0\\xffcfh\\x00\\xffde]\\xfff4v\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xff96j\\x00\\xfff0\\xffcfh\\x00\\xff90Kn\\x00(\\xff96j\\x00\\xffa4\\xfff3\\xffec\\x04@\\xffa0\\xff82u\\xffa8Kn\\x00\\xfff0\\xffcfh\\x000\\xff9f\\xff82u\\xfff0\\xffcfh\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 9449 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000005c4" }, { "name": "ObjectAttributesName", "value": "CustomAttributes" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.DataTransfer.DataTransferManager\\CustomAttributes" } ], "repeated": 0, "id": 9450 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7582b908", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c4" } ], "repeated": 0, "id": 9451 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f51b4e", "parentcaller": "0x76f4e1dd", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000007c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 1, "id": 9452 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "twinapi.appcore.dll" } ], "repeated": 0, "id": 9453 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\twinapi.appcore.dll" } ], "repeated": 0, "id": 9454 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e155", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a0" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\twinapi.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9455 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e155", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000588" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000005a0" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\twinapi.appcore.dll" } ], "repeated": 0, "id": 9456 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000588" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x736b0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0018f000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9457 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4ffdf", "parentcaller": "0x76f50764", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73822000" }, { "name": "ModuleName", "value": "twinapi.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9458 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9459 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9460 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7381e000" }, { "name": "ModuleName", "value": "twinapi.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9461 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7381e000" }, { "name": "ModuleName", "value": "twinapi.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9462 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f50eba", "parentcaller": "0x76f50d02", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00|\\xe3\\x83\\x05\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\x0cm\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x85s\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\xa1\\x84s\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00o\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00y\\x00s\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x002\\x00\\\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00o\\x00r\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00l\\x00\\x00\\x00" } ], "repeated": 0, "id": 9463 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e155", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 9464 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e155", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a0" } ], "repeated": 0, "id": 9465 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9466 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 9467 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9468 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\System32\\twinapi.appcore.dll" } ], "repeated": 0, "id": 9469 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a0" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\twinapi.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9470 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a0" } ], "repeated": 0, "id": 9471 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\twinapi.appcore" }, { "name": "DllBase", "value": "0x736b0000" } ], "repeated": 0, "id": 9472 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4dd42", "parentcaller": "0x76f51843", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\twinapi.appcore" }, { "name": "BaseAddress", "value": "0x736b0000" }, { "name": "InitRoutine", "value": "0x73733930" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 9473 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x758383c5", "parentcaller": "0x75838242", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9474 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7621302b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" } ], "repeated": 0, "id": 9475 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x73b5c419", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 9476 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x73b7a24d", "parentcaller": "0x73b734b6", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F324E4F9-8496-40B2-A1FF-9617C1C9AFFE" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "387FDB83-DD33-4995-9D2D-1F647E846705" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9477 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9478 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9479 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9480 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9481 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73ba5000" }, { "name": "ModuleName", "value": "ntshrui.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9482 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73ba5000" }, { "name": "ModuleName", "value": "ntshrui.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9483 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8fb07", "parentcaller": "0x75b8f25e", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "MutexName", "value": "Local\\SessionImmersiveColorMutex" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9484 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 9485 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x741e418f", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005c0" }, { "name": "DesiredAccess", "value": "0x000f001f" }, { "name": "ObjectAttributes", "value": "Local\\SessionImmersiveColorPreference" } ], "repeated": 0, "id": 9486 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b9da9b", "parentcaller": "0x741e41c8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005c0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05870000" }, { "name": "SectionOffset", "value": "0x04ecf90c" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9487 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 9488 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9489 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Accent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Accent" } ], "repeated": 0, "id": 9490 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9491 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005d0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\Personalization" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Personalization" } ], "repeated": 0, "id": 9492 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d0" } ], "repeated": 0, "id": 9493 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9494 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005d0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\Personalization" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Personalization" } ], "repeated": 0, "id": 9495 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d0" } ], "repeated": 0, "id": 9496 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x741e435a", "parentcaller": "0x741e2a65", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x0000000c" } ], "repeated": 0, "id": 9497 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8f11f", "parentcaller": "0x741f500a", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 9498 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "5064", "caller": "0x73b99893", "parentcaller": "0x73b99c3f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\SAMLIB" }, { "name": "DllBase", "value": "0x73690000" } ], "repeated": 0, "id": 9499 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "H\\xf8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00<\\x85\"t\\x8c\\xf8\\xec\\x04\\x19N\\x1ft<\\x85\"t\\xe8\\xf8\\xec\\x04\\xf8\\x8a\"t\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\x8a\"t\\xcc\\xf8\\xec\\x04" } ], "repeated": 0, "id": 9500 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005d0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 9501 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005e8" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000005d0" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" } ], "repeated": 0, "id": 9502 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e8" } ], "repeated": 0, "id": 9503 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x741f452a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d0" } ], "repeated": 0, "id": 9504 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b94290", "parentcaller": "0x741e4217", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 9505 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x741e435a", "parentcaller": "0x741e427f", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x0000000c" } ], "repeated": 0, "id": 9506 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9507 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9508 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9509 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9510 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9511 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9512 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9513 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9514 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9515 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9516 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9517 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9518 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9519 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9520 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x74edf4b4", "parentcaller": "0x74ed6805", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 9521 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006f3000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9522 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006f8000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9523 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006fd000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9524 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x74ed0b79", "parentcaller": "0x74ed1806", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 9525 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9526 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005f4" }, { "name": "DesiredAccess", "value": "0x00000101", "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0" } ], "repeated": 0, "id": 9527 }, { "timestamp": "2026-06-29 22:15:05,422", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74ecf4af", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005f4" } ], "repeated": 0, "id": 9528 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005f8" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Fonts\\staticcache.dat" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9529 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x75baa9ec", "parentcaller": "0x74ecf6ed", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005f8" }, { "name": "HandleName", "value": "C:\\Windows\\Fonts\\StaticCache.dat" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00&\\x01\\x00\\x00\\x00\\x00\\x00\\x00&\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9530 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x75b90e6c", "parentcaller": "0x74ecf746", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005f8" }, { "name": "HandleName", "value": "C:\\Windows\\Fonts\\StaticCache.dat" }, { "name": "Buffer", "value": "\\x1a\\x83W\\xa5\\x02\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00$\\x01\\x00\\x00$)\\x00\\x00\\x00\\x00\\x02\\x00\\xbe\\x02\\x00\\x00<\\x00\\x00\\x00$!\\x00\\x00L)\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00" }, { "name": "Length", "value": "60" } ], "repeated": 0, "id": 9531 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x75b8f828", "parentcaller": "0x75b8f48e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005e8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000005f8" }, { "name": "FileName", "value": "C:\\Windows\\Fonts\\StaticCache.dat" } ], "repeated": 0, "id": 9532 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x75b9da9b", "parentcaller": "0x74ecf632", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005e8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x058a0000" }, { "name": "SectionOffset", "value": "0x04ecdf70" }, { "name": "ViewSize", "value": "0x01260000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9533 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "5064", "caller": "0x7384636e", "parentcaller": "0x73846007", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "30D49246-D217-465F-B00B-AC9DDD652EB7" }, { "name": "ClsContext", "value": "0x00000017", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER" }, { "name": "riid", "value": "DF586FA5-6F35-44F1-B209-B38E169772EB" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9534 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "5064", "caller": "0x73b99893", "parentcaller": "0x73b99c3f", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "40AFA0B6-3B2F-4654-8C3F-161DE85CF80E" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "9EC044BC-B01D-4C18-8634-59BD3FF5DCC1" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9535 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "5064", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7388b000" }, { "name": "ModuleName", "value": "shacct.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9536 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "5064", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7388b000" }, { "name": "ModuleName", "value": "shacct.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9537 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "TextShaping.dll" } ], "repeated": 0, "id": 9538 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TextShaping.dll" } ], "repeated": 0, "id": 9539 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" } ], "repeated": 0, "id": 9540 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e32b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005f4" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9541 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e32b", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000600" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000005f4" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\TextShaping.dll" } ], "repeated": 0, "id": 9542 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000600" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x735f0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00094000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9543 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "5064", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7388b000" }, { "name": "ModuleName", "value": "shacct.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9544 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "5064", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7388b000" }, { "name": "ModuleName", "value": "shacct.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9545 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "5064", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7388b000" }, { "name": "ModuleName", "value": "shacct.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9546 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "5064", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7388b000" }, { "name": "ModuleName", "value": "shacct.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9547 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9548 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9549 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73681000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9550 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000600" } ], "repeated": 0, "id": 9551 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005f4" } ], "repeated": 0, "id": 9552 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73681000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9553 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9554 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 9555 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9556 }, { "timestamp": "2026-06-29 22:15:05,437", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\TextShaping.dll" } ], "repeated": 0, "id": 9557 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000604" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9558 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000604" } ], "repeated": 0, "id": 9559 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\TextShaping" }, { "name": "DllBase", "value": "0x735f0000" } ], "repeated": 0, "id": 9560 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x76f4dd42", "parentcaller": "0x76f51843", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\TextShaping" }, { "name": "BaseAddress", "value": "0x735f0000" }, { "name": "InitRoutine", "value": "0x7367f2b0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 9561 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74f43000" }, { "name": "ModuleName", "value": "gdi32full.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9562 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74f43000" }, { "name": "ModuleName", "value": "gdi32full.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9563 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00704000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9564 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9565 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000604" }, { "name": "DesiredAccess", "value": "0x00000101", "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 9566 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74ece9a1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000604" } ], "repeated": 0, "id": 9567 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9568 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000604" }, { "name": "DesiredAccess", "value": "0x00000109", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 9569 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000604" }, { "name": "KeyInformation", "value": "\\xffb4\\xfff3\\xff9a~\\xffe3\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x18\\x00\\x00\\x00\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 9570 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000604" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 9571 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000604" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 9572 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000604" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 9573 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000604" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 9574 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7388b000" }, { "name": "ModuleName", "value": "shacct.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9575 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7388b000" }, { "name": "ModuleName", "value": "shacct.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9576 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7388b000" }, { "name": "ModuleName", "value": "shacct.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9577 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7388b000" }, { "name": "ModuleName", "value": "shacct.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9578 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9579 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" } ], "repeated": 0, "id": 9580 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000101", "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x00000604" }, { "name": "ObjectAttributesName", "value": "Segoe MDL2 Assets" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe MDL2 Assets" } ], "repeated": 0, "id": 9581 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74ece938", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000604" } ], "repeated": 0, "id": 9582 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9583 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9584 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9585 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{23170F69-40C1-278A-1000-000100020000}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 9586 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 9587 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9588 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9589 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9590 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{23170F69-40C1-278A-1000-000100020000}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\Instance" } ], "repeated": 0, "id": 9591 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\Instance" } ], "repeated": 0, "id": 9592 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7643d37a", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000604" } ], "repeated": 0, "id": 9593 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 9594 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7643d37a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000604" } ], "repeated": 0, "id": 9595 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9596 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9597 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9598 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InProcServer32" } ], "repeated": 0, "id": 9599 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000604" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InProcServer32" } ], "repeated": 0, "id": 9600 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9601 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9602 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xf0t\\xf0h\\xf0\\x06\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xf3\\xec\\x04\\xbc^\\xb8u\\x06\\x06\\x00\\x00" } ], "repeated": 0, "id": 9603 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32" } ], "repeated": 0, "id": 9604 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9605 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9606 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xf0t\\xf0h\\xf0\\x06\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xf3\\xec\\x04\\xbc^\\xb8u\\x06\\x06\\x00\\x00" } ], "repeated": 0, "id": 9607 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32" } ], "repeated": 0, "id": 9608 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000606" } ], "repeated": 0, "id": 9609 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9610 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 9611 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9612 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 9613 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x7464071b", "parentcaller": "0x7464063c", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000604" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{23170f69-40c1-278a-1000-000100020000}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{23170f69-40c1-278a-1000-000100020000}\\InProcServer32" } ], "repeated": 0, "id": 9614 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x746407b1", "parentcaller": "0x7464063c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000604" } ], "repeated": 0, "id": 9615 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x746405c7", "parentcaller": "0x7643d12c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "7-zip32.dll" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 9616 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9617 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000604" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" } ], "repeated": 0, "id": 9618 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000604" } ], "repeated": 0, "id": 9619 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73ba5000" }, { "name": "ModuleName", "value": "ntshrui.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9620 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73ba5000" }, { "name": "ModuleName", "value": "ntshrui.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9621 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x75b8696b", "parentcaller": "0x73846d12", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d0" } ], "repeated": 0, "id": 9622 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x73b891bd", "parentcaller": "0x73b66a68", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "30D49246-D217-465F-B00B-AC9DDD652EB7" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "DF586FA5-6F35-44F1-B209-B38E169772EB" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9623 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x73b994c4", "parentcaller": "0x73b99c4b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "D4F01ADA-979C-491E-BAC3-CD3C0E7BCF82" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "E6496873-6DDC-4709-8785-1A5B3267843B" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9624 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x7384636e", "parentcaller": "0x73846007", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "30D49246-D217-465F-B00B-AC9DDD652EB7" }, { "name": "ClsContext", "value": "0x00000017", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER" }, { "name": "riid", "value": "DF586FA5-6F35-44F1-B209-B38E169772EB" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9625 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x738449cf", "parentcaller": "0x738446b2", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "40AFA0B6-3B2F-4654-8C3F-161DE85CF80E" }, { "name": "ClsContext", "value": "0x00000017", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER" }, { "name": "riid", "value": "9EC044BC-B01D-4C18-8634-59BD3FF5DCC1" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9626 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 9627 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x75b8696b", "parentcaller": "0x73846d12", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000604" } ], "repeated": 0, "id": 9628 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9629 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "5064", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000604" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\IdentityStore\\Providers\\{D7F9888F-E3FC-49B0-9EA6-A85B5F392A4F}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\IdentityStore\\Providers\\{D7F9888F-E3FC-49B0-9EA6-A85B5F392A4F}" } ], "repeated": 0, "id": 9630 }, { "timestamp": "2026-06-29 22:15:05,453", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Program Files\\7-Zip\\7-zip32" }, { "name": "DllBase", "value": "0x735d0000" } ], "repeated": 0, "id": 9631 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "23170F69-40C1-278A-1000-000100020000" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "000214E4-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9632 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9633 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{23170F69-40C1-278A-1000-000100020000}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{23170F69-40C1-278A-1000-000100020000}" } ], "repeated": 0, "id": 9634 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 3, "id": 9635 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9636 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{23170F69-40C1-278A-1000-000100020000}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{23170F69-40C1-278A-1000-000100020000}" } ], "repeated": 0, "id": 9637 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9638 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9639 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5\\x1e\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u\\x1e\\x04\\x00\\x00" } ], "repeated": 0, "id": 9640 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 9641 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9642 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9643 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9644 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{23170F69-40C1-278A-1000-000100020000}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}" } ], "repeated": 0, "id": 9645 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005f4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}" } ], "repeated": 0, "id": 9646 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005f6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{23170F69-40C1-278A-1000-000100020000}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9647 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005f6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9648 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf4\\xf6\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8u\\xf6\\x05\\x00\\x00" } ], "repeated": 0, "id": 9649 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{23170F69-40C1-278A-1000-000100020000}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{23170F69-40C1-278A-1000-000100020000}" } ], "repeated": 0, "id": 9650 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005f6" } ], "repeated": 0, "id": 9651 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x735d48c1", "parentcaller": "0x735d97a0", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\7-Zip" }, { "name": "Handle", "value": "0x000005f4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\7-Zip" } ], "repeated": 0, "id": 9652 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x735d49ec", "parentcaller": "0x735d97ae", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005f4" }, { "name": "ValueName", "value": "Lang" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\7-Zip\\Lang" } ], "repeated": 0, "id": 9653 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x735d48e8", "parentcaller": "0x735d976b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005f4" } ], "repeated": 0, "id": 9654 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x735d93b9", "parentcaller": "0x735d94e1", "category": "system", "api": "GetSystemDefaultLangID", "status": true, "return": "0x00670409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00670409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 9655 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x735d93c1", "parentcaller": "0x735d94e1", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 9656 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files\\7-Zip\\Lang\\en.txt" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 9657 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x735d48c1", "parentcaller": "0x735d616a", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\7-Zip\\Options" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\7-Zip\\Options" } ], "repeated": 0, "id": 9658 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b92ee6", "parentcaller": "0x735d2f10", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006f0e60", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "FirstCreateTimeLow", "value": "0xba75d5dd" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0814" } ], "repeated": 0, "id": 9659 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75ba4678", "parentcaller": "0x735d2ec2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005f4" } ], "repeated": 0, "id": 9660 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x76f392db", "parentcaller": "0x76f39742", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files\\SystemResources\\7-zip32.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 1, "id": 9661 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9662 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9663 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9664 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 9665 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 9666 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9667 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9668 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9669 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\Instance" } ], "repeated": 0, "id": 9670 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\Instance" } ], "repeated": 0, "id": 9671 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7643d37a", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005f4" } ], "repeated": 0, "id": 9672 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 9673 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7643d37a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005f4" } ], "repeated": 0, "id": 9674 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9675 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9676 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9677 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\InProcServer32" } ], "repeated": 0, "id": 9678 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005f4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\InProcServer32" } ], "repeated": 0, "id": 9679 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005f6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9680 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005f6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9681 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xf0t\\xf0h\\xf0\\xf6\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xf3\\xec\\x04\\xbc^\\xb8u\\xf6\\x05\\x00\\x00" } ], "repeated": 0, "id": 9682 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}\\InProcServer32" } ], "repeated": 0, "id": 9683 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005f6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9684 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005f6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9685 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xf0t\\xf0h\\xf0\\xf6\\x05\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xf3\\xec\\x04\\xbc^\\xb8u\\xf6\\x05\\x00\\x00" } ], "repeated": 0, "id": 9686 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}\\InProcServer32" } ], "repeated": 0, "id": 9687 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005f6" } ], "repeated": 0, "id": 9688 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9689 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 9690 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9691 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 9692 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x7464071b", "parentcaller": "0x7464063c", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005f4" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{470c0ebd-5d73-4d58-9ced-e91e22e23282}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{470c0ebd-5d73-4d58-9ced-e91e22e23282}\\InProcServer32" } ], "repeated": 0, "id": 9693 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x746407b1", "parentcaller": "0x7464063c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005f4" } ], "repeated": 0, "id": 9694 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x746405c7", "parentcaller": "0x7643d12c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "appresolver.dll" }, { "name": "ModuleHandle", "value": "0x73d70000" } ], "repeated": 0, "id": 9695 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9696 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005f4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" } ], "repeated": 0, "id": 9697 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005f4" } ], "repeated": 0, "id": 9698 }, { "timestamp": "2026-06-29 22:15:05,484", "thread_id": "5064", "caller": "0x738473f3", "parentcaller": "0x73847157", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\samcli" }, { "name": "DllBase", "value": "0x73520000" } ], "repeated": 0, "id": 9699 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "5064", "caller": "0x738473f3", "parentcaller": "0x73847157", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\wlidprov" }, { "name": "DllBase", "value": "0x73540000" } ], "repeated": 0, "id": 9700 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "5064", "caller": "0x738473f3", "parentcaller": "0x73847157", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "D7F9888F-E3FC-49B0-9EA6-A85B5F392A4F" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0D1B9E0C-E8BA-4F55-A81B-BCE934B948F5" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9701 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "5064", "caller": "0x75b8696b", "parentcaller": "0x73847430", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000604" } ], "repeated": 0, "id": 9702 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "com", "api": "CoCreateInstance", "status": false, "return": "0xffffffff8007007e", "arguments": [ { "name": "rclsid", "value": "470C0EBD-5D73-4D58-9CED-E91E22E23282" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "000214E4-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9703 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9704 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9705 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9706 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 9707 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\shellex\\NoAddToRecent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\shellex\\NoAddToRecent" } ], "repeated": 0, "id": 9708 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9709 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9710 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9711 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\Instance" } ], "repeated": 0, "id": 9712 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\Instance" } ], "repeated": 0, "id": 9713 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7643d37a", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000610" } ], "repeated": 0, "id": 9714 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 9715 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7643d37a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 9716 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "5064", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9717 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9718 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9719 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\InProcServer32" } ], "repeated": 0, "id": 9720 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "5064", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000604" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000508" }, { "name": "ObjectAttributesName", "value": "S-1-5-18\\Software\\Microsoft\\IdentityCRL\\StoredIdentities" }, { "name": "ObjectAttributes", "value": "HKEY_USERS\\S-1-5-18\\Software\\Microsoft\\IdentityCRL\\StoredIdentities" } ], "repeated": 0, "id": 9721 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\InProcServer32" } ], "repeated": 0, "id": 9722 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "5064", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x00000604" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 9723 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000612" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}\\InprocServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9724 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "5064", "caller": "0x75b8696b", "parentcaller": "0x7355779f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000604" } ], "repeated": 0, "id": 9725 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xf0t\\xf0h\\xf0\\x12\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xf3\\xec\\x04\\xbc^\\xb8u\\x12\\x06\\x00\\x00" } ], "repeated": 0, "id": 9726 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}\\InprocServer32" } ], "repeated": 0, "id": 9727 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000612" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}\\InprocServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9728 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000612" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9729 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xf0t\\xf0h\\xf0\\x12\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xf3\\xec\\x04\\xbc^\\xb8u\\x12\\x06\\x00\\x00" } ], "repeated": 0, "id": 9730 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}\\InprocServer32" } ], "repeated": 0, "id": 9731 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000612" } ], "repeated": 0, "id": 9732 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9733 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 9734 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9735 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 9736 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x7464071b", "parentcaller": "0x7464063c", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}\\InProcServer32" } ], "repeated": 0, "id": 9737 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x746407b1", "parentcaller": "0x7464063c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 9738 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x746405c7", "parentcaller": "0x7643d12c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "acppage.dll" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 9739 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9740 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" } ], "repeated": 0, "id": 9741 }, { "timestamp": "2026-06-29 22:15:05,500", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 9742 }, { "timestamp": "2026-06-29 22:15:05,515", "thread_id": "5064", "caller": "0x73b9c9ce", "parentcaller": "0x73b89b7a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\provsvc" }, { "name": "DllBase", "value": "0x734b0000" } ], "repeated": 0, "id": 9743 }, { "timestamp": "2026-06-29 22:15:05,531", "thread_id": "5064", "caller": "0x73b9c9ce", "parentcaller": "0x73b89b7a", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "DE77BA04-3C92-4D11-A1A5-42352A53E0E3" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "7A3BD1D9-35A9-4FB3-A467-F48CAC35E2D0" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9744 }, { "timestamp": "2026-06-29 22:15:05,531", "thread_id": "5064", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9745 }, { "timestamp": "2026-06-29 22:15:05,531", "thread_id": "5064", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000628" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "System\\CurrentControlSet\\Services\\HomeGroupProvider\\ServiceData" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\HomeGroupProvider\\ServiceData" } ], "repeated": 0, "id": 9746 }, { "timestamp": "2026-06-29 22:15:05,531", "thread_id": "5064", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000628" }, { "name": "KeyInformation", "value": "\\xff825\\xffa4\\xffd1\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00 \\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 9747 }, { "timestamp": "2026-06-29 22:15:05,531", "thread_id": "5064", "caller": "0x75b8696b", "parentcaller": "0x734bca9d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000628" } ], "repeated": 0, "id": 9748 }, { "timestamp": "2026-06-29 22:15:05,531", "thread_id": "5064", "caller": "0x75b8696b", "parentcaller": "0x73846d12", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d0" } ], "repeated": 0, "id": 9749 }, { "timestamp": "2026-06-29 22:15:05,531", "thread_id": "5064", "caller": "0x75b8f11f", "parentcaller": "0x758069c0", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x75450000" } ], "repeated": 0, "id": 9750 }, { "timestamp": "2026-06-29 22:15:05,531", "thread_id": "5064", "caller": "0x76f6b4e6", "parentcaller": "0x75bab545", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5064" } ], "repeated": 0, "id": 9751 }, { "timestamp": "2026-06-29 22:15:05,531", "thread_id": "5064", "caller": "0x76f51b4e", "parentcaller": "0x76f4f6de", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000007c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 9752 }, { "timestamp": "2026-06-29 22:15:05,531", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "__notification__", "api": "sysenter", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadIdentifier", "value": "168" }, { "name": "Module", "value": "KERNEL32.DLL" }, { "name": "Return Address", "value": "0x751524ac" } ], "repeated": 0, "id": 9753 }, { "timestamp": "2026-06-29 22:15:05,547", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\sfc" }, { "name": "DllBase", "value": "0x66680000" } ], "repeated": 0, "id": 9754 }, { "timestamp": "2026-06-29 22:15:05,547", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\msi" }, { "name": "DllBase", "value": "0x731f0000" } ], "repeated": 0, "id": 9755 }, { "timestamp": "2026-06-29 22:15:05,547", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ntmarta" }, { "name": "DllBase", "value": "0x73140000" } ], "repeated": 0, "id": 9756 }, { "timestamp": "2026-06-29 22:15:05,547", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\AEPIC" }, { "name": "DllBase", "value": "0x73170000" } ], "repeated": 0, "id": 9757 }, { "timestamp": "2026-06-29 22:15:05,578", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\sfc_os" }, { "name": "DllBase", "value": "0x73130000" } ], "repeated": 0, "id": 9758 }, { "timestamp": "2026-06-29 22:15:05,578", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\acppage" }, { "name": "DllBase", "value": "0x73490000" } ], "repeated": 0, "id": 9759 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b8ef86", "parentcaller": "0x7318392c", "category": "__notification__", "api": "sysenter", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadIdentifier", "value": "168" }, { "name": "Module", "value": "KERNEL32.DLL" }, { "name": "Return Address", "value": "0x751524ac" } ], "repeated": 0, "id": 9760 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x7643d400", "parentcaller": "0x76448d3e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1D27F844-3A1F-4410-85AC-14651078412D" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "000214E4-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "CompatContextMenu.CompatContextMenu.1" } ], "repeated": 0, "id": 9761 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9762 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{1D27F844-3A1F-4410-85AC-14651078412D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{1D27F844-3A1F-4410-85AC-14651078412D}" } ], "repeated": 0, "id": 9763 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9764 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{1D27F844-3A1F-4410-85AC-14651078412D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{1D27F844-3A1F-4410-85AC-14651078412D}" } ], "repeated": 0, "id": 9765 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9766 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9767 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5\\x06\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u\\x06\\x04\\x00\\x00" } ], "repeated": 0, "id": 9768 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 9769 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9770 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9771 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9772 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}" } ], "repeated": 0, "id": 9773 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000650" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}" } ], "repeated": 0, "id": 9774 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000652" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9775 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000652" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9776 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf4R\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8uR\\x06\\x00\\x00" } ], "repeated": 0, "id": 9777 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}" } ], "repeated": 0, "id": 9778 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000652" } ], "repeated": 0, "id": 9779 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x747c3b1f", "parentcaller": "0x747c1757", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 9780 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x73134395", "parentcaller": "0x73134121", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 9781 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "5064", "caller": "0x75b9106a", "parentcaller": "0x753cb380", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 9782 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "5064", "caller": "0x75b9106a", "parentcaller": "0x753cb402", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" } ], "repeated": 0, "id": 9783 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "5064", "caller": "0x76f6b509", "parentcaller": "0x75bab545", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 9784 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x731342b5", "parentcaller": "0x73134144", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Windows\\WinSxS\\FileMaps\\users_rajesh_appdata_local_temp_9023b969dd9e9f6f.cdf-ms" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" } ], "repeated": 0, "id": 9785 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005c8" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "SETUPAPI.dll" } ], "repeated": 0, "id": 9786 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005c8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76ab0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0043c000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9787 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x76f4ffdf", "parentcaller": "0x76f50764", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76b8d000" }, { "name": "ModuleName", "value": "SETUPAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9788 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9789 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9790 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76b89000" }, { "name": "ModuleName", "value": "SETUPAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9791 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x76f4f089", "parentcaller": "0x76f52308", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" } ], "repeated": 0, "id": 9792 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76b89000" }, { "name": "ModuleName", "value": "SETUPAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9793 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9794 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 9795 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9796 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\System32\\SETUPAPI.dll" } ], "repeated": 0, "id": 9797 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005c8" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\setupapi.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9798 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" } ], "repeated": 0, "id": 9799 }, { "timestamp": "2026-06-29 22:15:05,593", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\SETUPAPI" }, { "name": "DllBase", "value": "0x76ab0000" } ], "repeated": 0, "id": 9800 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b8fb07", "parentcaller": "0x75b8f25e", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000065c" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9801 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b8fb07", "parentcaller": "0x75b8f25e", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000664" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9802 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x76acd65e", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 9803 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x76acd65e", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\setupapi" }, { "name": "BaseAddress", "value": "0x76ab0000" }, { "name": "InitRoutine", "value": "0x76ae09e0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 9804 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7313c000" }, { "name": "ModuleName", "value": "sfc_os.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9805 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7313c000" }, { "name": "ModuleName", "value": "sfc_os.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9806 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9807 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles" } ], "repeated": 0, "id": 9808 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b92ee6", "parentcaller": "0x73494e9a", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006f0c20", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "FirstCreateTimeLow", "value": "0xba75d5dd" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0814" } ], "repeated": 0, "id": 9809 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f51f50", "parentcaller": "0x76f38d78", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 9810 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f392db", "parentcaller": "0x76f39742", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000066c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\acppage.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9811 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f3978c", "parentcaller": "0x76f3926e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000670" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000066c" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\en-US\\acppage.dll.mui" } ], "repeated": 0, "id": 9812 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f397b4", "parentcaller": "0x76f3926e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000670" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05700000" }, { "name": "SectionOffset", "value": "0x04ece710" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9813 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f397c4", "parentcaller": "0x76f3926e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 9814 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75ba4678", "parentcaller": "0x73494f5a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000668" } ], "repeated": 0, "id": 9815 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b83595", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9816 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b86683", "parentcaller": "0x75b83600", "category": "registry", "api": "NtCreateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000668" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "Class", "value": "" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 9817 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b86ba5", "parentcaller": "0x75b8341e", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000668" }, { "name": "ValueName", "value": "SlowContextMenuEntries" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Buffer", "value": "`$\\xb2!\\xea:i\\x10\\xa2\\xdc\\x08\\x00+00\\x9d\\x87\\x01\\x00\\x00\\xbd\\x0e\\x0cGs]XM\\x9c\\xed\\xe9\\x1e\"\\xe22\\x822\\x02\\x00\\x00\\x01\\x14\\x02\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00FR\\x02\\x00\\x00N:\\xaa\\x90\\xba\\x1c3B\\xb8\\xbbSWs\\xd4\\x84I)\\x01\\x00\\x00@\\xc7\\xa4{\\x81\\x9e\\xcf\\x11\\x99\\xd3\\x00\\xaa\\x00J\\xe87\\xaf\n\\x00\\x00" }, { "name": "BufferLength", "value": "100" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SlowContextMenuEntries" } ], "repeated": 0, "id": 9818 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764a16ea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000668" } ], "repeated": 0, "id": 9819 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7652844f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000668" } ], "repeated": 0, "id": 9820 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 9821 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7652844f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000668" } ], "repeated": 0, "id": 9822 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9823 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9824 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9825 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 9826 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000668" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 9827 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000066a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9828 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000066a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9829 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xee$\\xee\\x18\\xeej\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf0\\xec\\x04\\xbc^\\xb8uj\\x06\\x00\\x00" } ], "repeated": 0, "id": 9830 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 9831 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000066a" } ], "repeated": 0, "id": 9832 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9833 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9834 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x08\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x94\\xf5D\\xf58\\xf5\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xe0\\xf7\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 9835 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 9836 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000668" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ea" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\" } ], "repeated": 0, "id": 9837 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76469f12", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000066a" } ], "repeated": 0, "id": 9838 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9839 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9840 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xf5<\\xf50\\xf5\\x06\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xd8\\xf7\\xec\\x04\\xbc^\\xb8u\\x06\\x04\\x00\\x00" } ], "repeated": 0, "id": 9841 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 9842 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000668" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000406" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\" } ], "repeated": 0, "id": 9843 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9844 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000406" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9845 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5\\x06\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u\\x06\\x04\\x00\\x00" } ], "repeated": 0, "id": 9846 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 9847 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9848 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9849 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9850 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" } ], "repeated": 0, "id": 9851 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000670" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" } ], "repeated": 0, "id": 9852 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000672" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9853 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000672" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9854 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf4r\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8ur\\x06\\x00\\x00" } ], "repeated": 0, "id": 9855 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" } ], "repeated": 0, "id": 9856 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000672" } ], "repeated": 0, "id": 9857 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000066a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9858 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000066a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9859 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf3\\x04\\xf3\\xf8\\xf2j\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf5\\xec\\x04\\xbc^\\xb8uj\\x06\\x00\\x00" } ], "repeated": 0, "id": 9860 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 9861 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000066a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9862 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000066a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9863 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf3\\x04\\xf3\\xf8\\xf2j\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf5\\xec\\x04\\xbc^\\xb8uj\\x06\\x00\\x00" } ], "repeated": 0, "id": 9864 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 9865 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9866 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9867 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75ba4eeb", "parentcaller": "0x75608c21", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 9868 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x74850991", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9869 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x74850991", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "Milliseconds", "value": "150" } ], "repeated": 0, "id": 9870 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7565c000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9871 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7565c000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9872 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75ba4eeb", "parentcaller": "0x7562f035", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x10!\\x00\\xa4\\x0c\\x00\\x00\\x98\\x01\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "408" } ], "repeated": 0, "id": 9873 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9874 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9875 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x758817d7", "parentcaller": "0x75831999", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000004ac" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.Application" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application" } ], "repeated": 0, "id": 9876 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75881887", "parentcaller": "0x75881832", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067c" }, { "name": "KeyInformation", "value": "y\\x1f\\x10\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00X\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00h\\x08\\x02\\x00\\x08\\x00\\x15\\xffc0\\xfff4\\xfff3j\\x05\\xffde]\\xfff4v\\xfff4Fn\\x00\\xffde]\\xfff4v\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff801p\\x00\\xff801p\\x00\\xffd0\\x07'\\x02\\xff80\\xfff5j\\x05#\\x0c\\xff83u\\x02\\x00\\x00\\x00\\xff93\\x0c\\xff83uT\\x18\\xff9au`\t\\xff83u\\xffe0Fn\\x00\\xfff4\\x0c\\xff83u\\xffc8\\x18\\x13{\\xffe6\\xfff5j\\x05\\xffe0Fn\\x00\\x01\\x00\\x00\\x00T\\x18\\xff9au\\x00\\x00\\x00\\x00\\x11\\x00\\x05\\x00\\xffa0\\xffe6~\\x02`\t\\xff83u\\xfff0\\xff86\\xff89u\\x00\\x00@\\x028\t'\\x02`\\xfff4j\\x05`\\x0bo\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb76\\x00\\x00\\xff801p\\x00\\x00\\x00\\x00\\x008\\xfffb\\xff99u\\xffdc\\xfff8j\\x05H+p\\x00/\\xfff5\\xfff4v\\xffa0\\xfff5j\\x05\\xffd0\\x12f\\x00 \\x00\\x00\\x00%\\x00$\\x00 \\xfff5j\\x05\\x04\\x03o\\x00 \\x00\\x00\\x00\\x11\\x00\t\\x000\\xfff5j\\x05D?n\\x00(\\xfff5j\\x05\\x7fb\\xfff4vX\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\xffd0\\x07\\x02\\x00d\\x00\\x00\\x00\\xffdc\\xff82n\\x00P\\x00\\x00\\x00\\xffd0\\x07\\x02\\x00d\\x00\\x00\\x00\\xfff0\\x02o\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfffel\\x000?n\\x00\\x00\\x00\\x00\\x00`\\x0bo\\x00`\\x0bo\\x00\\x00\\x00\\x00\\x00\\xff801p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xffe0\\x01\\x02\\x00\\x00\\x00\\x00\\x00D\\x00\\x00\\x00|\\x0c\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00x\\x0c\\x02\\x00\\xffde]\\xfff4vH\\xfff5j\\x05\\xffde]\\xfff4v`\\x0bo\\x00\\xffde]\\xfff4v\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff801p\\x00`\\x0bo\\x00\\xffe0Fn\\x00\\xff801p\\x00|\\xfff5j\\x05@\\xffa0\\xff82u\\xfff8Fn\\x00`\\x0bo\\x000\\xff9f\\xff82u`\\x0bo\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 9877 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x0000067c" }, { "name": "ObjectAttributesName", "value": "CustomAttributes" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\CustomAttributes" } ], "repeated": 0, "id": 9878 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7582b908", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 9879 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7584d2e3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9880 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9881 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9882 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "Interface\\{D81E96F1-A89C-417E-9335-59531026309D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{D81E96F1-A89C-417E-9335-59531026309D}" } ], "repeated": 0, "id": 9883 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Interface\\{D81E96F1-A89C-417E-9335-59531026309D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{D81E96F1-A89C-417E-9335-59531026309D}" } ], "repeated": 0, "id": 9884 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9885 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9886 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xdej\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xde\\x9c\\xde\\x90\\xde~\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x008\\xe1j\\x05\\xbc^\\xb8u~\\x06\\x00\\x00" } ], "repeated": 0, "id": 9887 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9888 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000680" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000067e" }, { "name": "ObjectAttributesName", "value": "ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9889 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000682" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}\\ProxyStubClsid32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9890 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000682" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9891 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xdej\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xdet\\xdeh\\xde\\x82\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xe1j\\x05\\xbc^\\xb8u\\x82\\x06\\x00\\x00" } ], "repeated": 0, "id": 9892 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9893 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd35", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000682" } ], "repeated": 0, "id": 9894 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd41", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067e" } ], "repeated": 0, "id": 9895 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9896 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 9897 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9898 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 9899 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x758383c5", "parentcaller": "0x75838242", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9900 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x758817d7", "parentcaller": "0x75831999", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000004ac" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.ApplicationExtension" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension" } ], "repeated": 0, "id": 9901 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75881887", "parentcaller": "0x75881832", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067c" }, { "name": "KeyInformation", "value": "y\\x1f\\x10\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00j\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00E\\x00x\\x00t\\x00e\\x00n\\x00s\\x00i\\x00o\\x00n\\x00j\\x05\\xffde]\\xfff4vt?n\\x00\\xffde]\\xfff4v\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb83j\\x00\\xffb83j\\x00\\x00\\x00\\x00\\x00\\xff80\\xfff5j\\x05#\\x0c\\xff83u\\x02\\x00\\x00\\x00\\xff93\\x0c\\xff83uT\\x18\\xff9au`\t\\xff83u`?n\\x00\\xfff4\\x0c\\xff83u\\xff94\\xff99\\xffc5u\\x00\\x00\\x00\\x00`?n\\x00\\x01\\x00\\x00\\x00T\\x18\\xff9au\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\t\\xff83u\\xfff0\\xff86\\xff89u\\xff92q\\xfff4v{\\xff8c\\xfff4vj\\x13\\xff81\\x1b`\\x0bo\\x00\\xff8c\\x01\\x00\\x00\\xff80\\xfff6j\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb83j\\x00\\x00\\x00\\x00\\x008\\xfffb\\xff99u\\x00\\x00\\x00\\x00P-p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00%\\x00!\\x00 \\xfff5j\\x05\\x04\\x03o\\x00 \\x00\\x00\\x00\\x10\\x00\\x07\\x000\\xfff5j\\x05D?n\\x00(\\xfff5j\\x05\\x7fb\\xfff4v\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\xffd0\\x07\\x02\\x00d\\x00\\x00\\x00\\xffdc\\xff82n\\x00P\\x00\\x00\\x00\\xffd0\\x07\\x02\\x00d\\x00\\x00\\x00\\xfff0\\x02o\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfffel\\x000?n\\x00\\x00\\x00\\x00\\x00`\\x0bo\\x00`\\x0bo\\x00\\x00\\x00\\x00\\x00\\xffb83j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xffe0\\x01\\x02\\x00\\x00\\x00\\x00\\x00D\\x00\\x00\\x00|\\x0c\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00x\\x0c\\x02\\x00\\xffde]\\xfff4vH\\xfff5j\\x05\\xffde]\\xfff4v`\\x0bo\\x00\\xffde]\\xfff4v\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb83j\\x00`\\x0bo\\x00`?n\\x00\\xffb83j\\x00|\\xfff5j\\x05@\\xffa0\\xff82ux?n\\x00`\\x0bo\\x000\\xff9f\\xff82u`\\x0bo\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 9902 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x0000067c" }, { "name": "ObjectAttributesName", "value": "CustomAttributes" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\CustomAttributes" } ], "repeated": 0, "id": 9903 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7582b908", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 9904 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7584d2e3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9905 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9906 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9907 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "Interface\\{B94B62A2-4012-4B7E-A395-F21CC665FD12}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{B94B62A2-4012-4B7E-A395-F21CC665FD12}" } ], "repeated": 0, "id": 9908 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Interface\\{B94B62A2-4012-4B7E-A395-F21CC665FD12}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{B94B62A2-4012-4B7E-A395-F21CC665FD12}" } ], "repeated": 0, "id": 9909 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{b94b62a2-4012-4b7e-a395-f21cc665fd12}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9910 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9911 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xdej\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xde\\x9c\\xde\\x90\\xde~\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x008\\xe1j\\x05\\xbc^\\xb8u~\\x06\\x00\\x00" } ], "repeated": 0, "id": 9912 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9913 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000680" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000067e" }, { "name": "ObjectAttributesName", "value": "ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9914 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000682" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\\ProxyStubClsid32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9915 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000682" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9916 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xdej\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xdet\\xdeh\\xde\\x82\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xe1j\\x05\\xbc^\\xb8u\\x82\\x06\\x00\\x00" } ], "repeated": 0, "id": 9917 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9918 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd35", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000682" } ], "repeated": 0, "id": 9919 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd41", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067e" } ], "repeated": 0, "id": 9920 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9921 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 9922 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9923 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 9924 }, { "timestamp": "2026-06-29 22:15:05,609", "thread_id": "408", "caller": "0x758383c5", "parentcaller": "0x75838242", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9925 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9926 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9927 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "Interface\\{8DA928C9-4266-55D4-947A-48BE47300831}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8DA928C9-4266-55D4-947A-48BE47300831}" } ], "repeated": 0, "id": 9928 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000674" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Interface\\{8DA928C9-4266-55D4-947A-48BE47300831}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{8DA928C9-4266-55D4-947A-48BE47300831}" } ], "repeated": 0, "id": 9929 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{8da928c9-4266-55d4-947a-48be47300831}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9930 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9931 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe5j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xe6\\xdc\\xe5\\xd0\\xe5v\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00x\\xe8j\\x05\\xbc^\\xb8uv\\x06\\x00\\x00" } ], "repeated": 0, "id": 9932 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{8da928c9-4266-55d4-947a-48be47300831}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{8da928c9-4266-55d4-947a-48be47300831}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9933 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000676" }, { "name": "ObjectAttributesName", "value": "ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{8da928c9-4266-55d4-947a-48be47300831}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9934 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{8da928c9-4266-55d4-947a-48be47300831}\\ProxyStubClsid32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9935 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9936 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xe5j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xe6\\xb4\\xe5\\xa8\\xe5~\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xe8j\\x05\\xbc^\\xb8u~\\x06\\x00\\x00" } ], "repeated": 0, "id": 9937 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{8da928c9-4266-55d4-947a-48be47300831}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{8da928c9-4266-55d4-947a-48be47300831}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9938 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd35", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067e" } ], "repeated": 0, "id": 9939 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd41", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000676" } ], "repeated": 0, "id": 9940 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9941 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 9942 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9943 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 9944 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9945 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9946 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "Interface\\{3BED20A5-6DEE-4297-B976-3B30DF69A7AA}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{3BED20A5-6DEE-4297-B976-3B30DF69A7AA}" } ], "repeated": 0, "id": 9947 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000674" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Interface\\{3BED20A5-6DEE-4297-B976-3B30DF69A7AA}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{3BED20A5-6DEE-4297-B976-3B30DF69A7AA}" } ], "repeated": 0, "id": 9948 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9949 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9950 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe5j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xe6\\xdc\\xe5\\xd0\\xe5v\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00x\\xe8j\\x05\\xbc^\\xb8uv\\x06\\x00\\x00" } ], "repeated": 0, "id": 9951 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9952 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000676" }, { "name": "ObjectAttributesName", "value": "ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9953 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}\\ProxyStubClsid32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9954 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000067e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9955 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xe5j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xe6\\xb4\\xe5\\xa8\\xe5~\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xe8j\\x05\\xbc^\\xb8u~\\x06\\x00\\x00" } ], "repeated": 0, "id": 9956 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9957 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd35", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067e" } ], "repeated": 0, "id": 9958 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd41", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000676" } ], "repeated": 0, "id": 9959 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9960 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 9961 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9962 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 9963 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9964 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9965 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "Interface\\{6CB10ED7-4BCA-5561-B2E1-40E1197C1B0C}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{6CB10ED7-4BCA-5561-B2E1-40E1197C1B0C}" } ], "repeated": 0, "id": 9966 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000680" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Interface\\{6CB10ED7-4BCA-5561-B2E1-40E1197C1B0C}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{6CB10ED7-4BCA-5561-B2E1-40E1197C1B0C}" } ], "repeated": 0, "id": 9967 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000682" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9968 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000682" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9969 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x98\\xe5j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00$\\xe6\\xd4\\xe5\\xc8\\xe5\\x82\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00p\\xe8j\\x05\\xbc^\\xb8u\\x82\\x06\\x00\\x00" } ], "repeated": 0, "id": 9970 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9971 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000684" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000682" }, { "name": "ObjectAttributesName", "value": "ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9972 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\\ProxyStubClsid32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9973 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9974 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xe5j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xfc\\xe5\\xac\\xe5\\xa0\\xe5\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02H\\xe8j\\x05\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 9975 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9976 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd35", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000686" } ], "repeated": 0, "id": 9977 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd41", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000682" } ], "repeated": 0, "id": 9978 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9979 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 9980 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9981 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 9982 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9983 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9984 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9985 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "Interface\\{06075BC6-9C03-45CD-A980-DB688D7407AD}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{06075BC6-9C03-45CD-A980-DB688D7407AD}" } ], "repeated": 0, "id": 9986 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000680" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Interface\\{06075BC6-9C03-45CD-A980-DB688D7407AD}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{06075BC6-9C03-45CD-A980-DB688D7407AD}" } ], "repeated": 0, "id": 9987 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000682" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{06075BC6-9C03-45CD-A980-DB688D7407AD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9988 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000682" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9989 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xd2j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xd3\\xdc\\xd2\\xd0\\xd2\\x82\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00x\\xd5j\\x05\\xbc^\\xb8u\\x82\\x06\\x00\\x00" } ], "repeated": 0, "id": 9990 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{06075BC6-9C03-45CD-A980-DB688D7407AD}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{06075BC6-9C03-45CD-A980-DB688D7407AD}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9991 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000684" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000682" }, { "name": "ObjectAttributesName", "value": "ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{06075BC6-9C03-45CD-A980-DB688D7407AD}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9992 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{06075BC6-9C03-45CD-A980-DB688D7407AD}\\ProxyStubClsid32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 9993 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9994 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xd2j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xd3\\xb4\\xd2\\xa8\\xd2\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xd5j\\x05\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 9995 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{06075BC6-9C03-45CD-A980-DB688D7407AD}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{06075BC6-9C03-45CD-A980-DB688D7407AD}\\ProxyStubClsid32" } ], "repeated": 0, "id": 9996 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd35", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000686" } ], "repeated": 0, "id": 9997 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd41", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000682" } ], "repeated": 0, "id": 9998 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 9999 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10000 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{4804E2C3-E6D2-C3C8-9B90-7998ECEA174E}" } ], "repeated": 0, "id": 10001 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10002 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10003 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00709000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10004 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10005 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10006 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{684B905C-253A-B907-ABFE-669923B52094}" } ], "repeated": 0, "id": 10007 }, { "timestamp": "2026-06-29 22:15:05,625", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10008 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10009 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10010 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10011 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{445A470C-ACAE-3D3C-6A63-1C81755357DB}" } ], "repeated": 0, "id": 10012 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10013 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10014 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10015 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10016 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{862DE940-3651-0C15-1C4B-9C5A2E8B6542}" } ], "repeated": 0, "id": 10017 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10018 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10019 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10020 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10021 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{3544BCCD-898A-9CF6-23B8-446E73CC91D4}" } ], "repeated": 0, "id": 10022 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10023 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10024 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10025 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10026 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{45B33F07-984A-E089-BC08-E689071A33EB}" } ], "repeated": 0, "id": 10027 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10028 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10029 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10030 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10031 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{AF4CC4BD-B0C6-39D5-0983-14A6FC00518C}" } ], "repeated": 0, "id": 10032 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10033 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10034 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10035 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10036 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{D989B690-86F0-28E6-6E40-52198381436D}" } ], "repeated": 0, "id": 10037 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10038 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10039 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10040 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10041 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{F2B256DC-FC33-97F8-90EC-1B3071A4843B}" } ], "repeated": 0, "id": 10042 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10043 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10044 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10045 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10046 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{CFF1461F-D0CC-8D3E-ED3B-3B20F7921452}" } ], "repeated": 0, "id": 10047 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10048 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10049 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10050 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10051 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{0F66B3AF-41C1-1DAB-ABA7-DC1272CA671A}" } ], "repeated": 0, "id": 10052 }, { "timestamp": "2026-06-29 22:15:05,640", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10053 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10054 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10055 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10056 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{B1E8B577-E1DC-8AAB-353F-6ACD4AD89676}" } ], "repeated": 0, "id": 10057 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10058 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10059 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10060 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10061 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{10C35B56-DAE4-B4BE-00E9-ABA1D2450843}" } ], "repeated": 0, "id": 10062 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10063 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10064 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10065 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10066 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{24E90374-6174-FD11-B767-2BFA77BBBC0C}" } ], "repeated": 0, "id": 10067 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10068 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10069 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10070 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10071 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{7F198693-5587-1489-B731-7821B2D1CD1A}" } ], "repeated": 0, "id": 10072 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10073 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10074 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10075 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10076 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{54E38381-828D-F861-C705-FE6C505C7714}" } ], "repeated": 0, "id": 10077 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10078 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10079 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10080 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10081 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{FDBB3937-B623-8E7A-7465-51AC356904EA}" } ], "repeated": 0, "id": 10082 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10083 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10084 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10085 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10086 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{75908FAB-5D7E-6BCE-4433-9A391EB9BC9E}" } ], "repeated": 0, "id": 10087 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10088 }, { "timestamp": "2026-06-29 22:15:05,656", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10089 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10090 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10091 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{61108999-6C64-15D1-CB75-3A949EFAD2D4}" } ], "repeated": 0, "id": 10092 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10093 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10094 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10095 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10096 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{084F1309-A383-49CE-7E61-2AEEEAEED318}" } ], "repeated": 0, "id": 10097 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10098 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10099 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10100 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10101 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{2B4664E0-D898-8DA5-448D-6C65D91E9FB8}" } ], "repeated": 0, "id": 10102 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10103 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10104 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10105 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10106 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{15A56B39-C080-BCE3-CA9C-8325D2E56AF0}" } ], "repeated": 0, "id": 10107 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10108 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10109 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10110 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10111 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{FBC859E8-C70D-B726-D17A-A28D16DFC074}" } ], "repeated": 0, "id": 10112 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10113 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10114 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10115 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10116 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{897FAE92-D6A6-45B4-8E11-F93DBFD86C26}" } ], "repeated": 0, "id": 10117 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10118 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10119 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10120 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10121 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{E45475F7-DBFB-506C-F08B-E5807F3EC774}" } ], "repeated": 0, "id": 10122 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10123 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10124 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10125 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10126 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{35BBD9BF-810A-20C0-72A4-D672CC5184BC}" } ], "repeated": 0, "id": 10127 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10128 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10129 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10130 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10131 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{CEEF8E0A-04B3-392F-3C31-B1A2C0852580}" } ], "repeated": 0, "id": 10132 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10133 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10134 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10135 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10136 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{E4D2F48C-C678-A56F-A39C-15E92EB98142}" } ], "repeated": 0, "id": 10137 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10138 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10139 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10140 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10141 }, { "timestamp": "2026-06-29 22:15:05,672", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{90065406-7E61-D4B4-4EB8-68E827C219F3}" } ], "repeated": 0, "id": 10142 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10143 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10144 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000684" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000688" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10145 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000684" } ], "repeated": 0, "id": 10146 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{A83BC5FD-30FB-B49B-2C88-E045D25C19AC}" } ], "repeated": 0, "id": 10147 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 10148 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10149 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000688" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000684" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10150 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 10151 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{92706906-1A3F-5E97-4CF8-A91385F8FBBB}" } ], "repeated": 0, "id": 10152 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000684" } ], "repeated": 0, "id": 10153 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10154 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000684" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000688" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10155 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000684" } ], "repeated": 0, "id": 10156 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{37460E25-161A-BEE1-CCFC-6A007B5473C7}" } ], "repeated": 0, "id": 10157 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 10158 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10159 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000688" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000684" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10160 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 10161 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{CD7B4624-4C0B-45E3-1F88-395234324817}" } ], "repeated": 0, "id": 10162 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000684" } ], "repeated": 0, "id": 10163 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10164 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000684" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000688" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10165 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000684" } ], "repeated": 0, "id": 10166 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{AA6F15C0-8DA5-6327-41AE-07973E8FA83D}" } ], "repeated": 0, "id": 10167 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 10168 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10169 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000688" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000684" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10170 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 10171 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{CE8E1C13-4ADA-73C8-9F40-C00BF61E92F0}" } ], "repeated": 0, "id": 10172 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000684" } ], "repeated": 0, "id": 10173 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10174 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000684" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000688" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10175 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000684" } ], "repeated": 0, "id": 10176 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{47B0D06B-16F7-198A-BD98-1E1440CD05F7}" } ], "repeated": 0, "id": 10177 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 10178 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10179 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0070b000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10180 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000688" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000684" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10181 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 10182 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{99E8051C-8072-639B-C286-5FD99FB889DF}" } ], "repeated": 0, "id": 10183 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000684" } ], "repeated": 0, "id": 10184 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10185 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000684" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000688" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10186 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000684" } ], "repeated": 0, "id": 10187 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{E3A87F5A-DBF7-9CE3-467B-28774CE14835}" } ], "repeated": 0, "id": 10188 }, { "timestamp": "2026-06-29 22:15:05,687", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 10189 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10190 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10191 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10192 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{11DE1AE2-5CDD-ECEB-204E-B7C8F6EE4158}" } ], "repeated": 0, "id": 10193 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10194 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10195 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10196 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10197 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{B3B39FB2-6686-1FF4-5FC8-79493C3101EC}" } ], "repeated": 0, "id": 10198 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10199 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10200 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000067c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10201 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067c" } ], "repeated": 0, "id": 10202 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{A043F00C-C563-B090-4192-E9C13A0ECB19}" } ], "repeated": 0, "id": 10203 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757dcaea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10204 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7585f399", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10205 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x75b9fd84", "parentcaller": "0x7588d0b9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000674" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000067c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10206 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x75b9106a", "parentcaller": "0x757df264", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10207 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "408", "caller": "0x75b9285d", "parentcaller": "0x757dfcdc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "RestrictedErrorObject-{F68D26BB-8A18-BFB4-60FC-2E69C22D675A}" } ], "repeated": 0, "id": 10208 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000066a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10209 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000066a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10210 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\\\xf3\\x0c\\xf3\\x00\\xf3j\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xa8\\xf5\\xec\\x04\\xbc^\\xb8uj\\x06\\x00\\x00" } ], "repeated": 0, "id": 10211 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\Shell" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Shell" } ], "repeated": 0, "id": 10212 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000688" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000066a" }, { "name": "ObjectAttributesName", "value": "Shell" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Shell" } ], "repeated": 0, "id": 10213 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10214 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10215 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x84\\xef4\\xef(\\xef\\x8a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd0\\xf1\\xec\\x04\\xbc^\\xb8u\\x8a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10216 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell" } ], "repeated": 0, "id": 10217 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10218 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10219 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xec\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xed\\xb4\\xec\\xa8\\xec\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00P\\xef\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 10220 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10221 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000684" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ea" }, { "name": "ObjectAttributesName", "value": "shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10222 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10223 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10224 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xef\\\\xefP\\xef\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xf8\\xf1\\xec\\x04\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 10225 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10226 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000686" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\" } ], "repeated": 0, "id": 10227 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000066a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10228 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000066a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10229 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xdc\\xee\\x8c\\xee\\x80\\xeej\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00(\\xf1\\xec\\x04\\xbc^\\xb8uj\\x06\\x00\\x00" } ], "repeated": 0, "id": 10230 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 10231 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000690" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000066a" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\" } ], "repeated": 0, "id": 10232 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10233 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10234 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xef\\xc4\\xee\\xb8\\xee\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00`\\xf1\\xec\\x04\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 10235 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10236 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000694" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000686" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\" } ], "repeated": 0, "id": 10237 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10238 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10239 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xec\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xed\\xb4\\xec\\xa8\\xec\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xef\\xec\\x04\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 10240 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10241 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b81962", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10242 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10243 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xef\\x04\\xef\\xf8\\xee\\x8a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf1\\xec\\x04\\xbc^\\xb8u\\x8a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10244 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell" } ], "repeated": 0, "id": 10245 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b823a7", "parentcaller": "0x75b82302", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068a" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 10246 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b823a7", "parentcaller": "0x75b82302", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068a" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 10247 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10248 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10249 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xef<\\xef0\\xef\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xd8\\xf1\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 10250 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10251 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000698" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ea" }, { "name": "ObjectAttributesName", "value": "shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10252 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10253 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10254 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf2\\xe4\\xf1\\xd8\\xf1\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x80\\xf4\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10255 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10256 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000069a" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\" } ], "repeated": 0, "id": 10257 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000066a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10258 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000066a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10259 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf1\\x14\\xf1\\x08\\xf1j\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xb0\\xf3\\xec\\x04\\xbc^\\xb8uj\\x06\\x00\\x00" } ], "repeated": 0, "id": 10260 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 10261 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000066a" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\" } ], "repeated": 0, "id": 10262 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10263 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10264 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf1L\\xf1@\\xf1\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\xe8\\xf3\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10265 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10266 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x0000069a" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\" } ], "repeated": 0, "id": 10267 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10268 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10269 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xef<\\xef0\\xef\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xf1\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10270 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10271 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b823a7", "parentcaller": "0x75b82302", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068a" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 10272 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10273 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10274 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xef<\\xef0\\xef\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xd8\\xf1\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 10275 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10276 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003ea" }, { "name": "ObjectAttributesName", "value": "shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10277 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006aa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10278 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006aa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10279 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf2\\xe4\\xf1\\xd8\\xf1\\xaa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x80\\xf4\\xec\\x04\\xbc^\\xb8u\\xaa\\x06\\x00\\x00" } ], "repeated": 0, "id": 10280 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10281 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000006aa" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser\\" } ], "repeated": 0, "id": 10282 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000066a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10283 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000066a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10284 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf1\\x14\\xf1\\x08\\xf1j\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xb0\\xf3\\xec\\x04\\xbc^\\xb8uj\\x06\\x00\\x00" } ], "repeated": 0, "id": 10285 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 10286 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006b0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000066a" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\" } ], "repeated": 0, "id": 10287 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006aa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10288 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006aa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10289 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf1L\\xf1@\\xf1\\xaa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\xe8\\xf3\\xec\\x04\\xbc^\\xb8u\\xaa\\x06\\x00\\x00" } ], "repeated": 0, "id": 10290 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10291 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006b4" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x000006aa" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser\\" } ], "repeated": 0, "id": 10292 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006aa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10293 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006aa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10294 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xef<\\xef0\\xef\\xaa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xf1\\xec\\x04\\xbc^\\xb8u\\xaa\\x06\\x00\\x00" } ], "repeated": 0, "id": 10295 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10296 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b823a7", "parentcaller": "0x75b82302", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x0000068a" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 10297 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7641d7c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000068a" } ], "repeated": 0, "id": 10298 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10299 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10300 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf2\\x04\\xf2\\xf8\\xf1\\xae\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf4\\xec\\x04\\xbc^\\xb8u\\xae\\x06\\x00\\x00" } ], "repeated": 0, "id": 10301 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10302 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10303 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10304 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xf0\\xbc\\xef\\xb0\\xef\\xae\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xf2\\xec\\x04\\xbc^\\xb8u\\xae\\x06\\x00\\x00" } ], "repeated": 0, "id": 10305 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10306 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10307 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10308 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xf1\\xfc\\xf0\\xf0\\xf0\\xae\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xf3\\xec\\x04\\xbc^\\xb8u\\xae\\x06\\x00\\x00" } ], "repeated": 0, "id": 10309 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10310 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10311 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10312 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xf1\\xfc\\xf0\\xf0\\xf0\\xae\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xf3\\xec\\x04\\xbc^\\xb8u\\xae\\x06\\x00\\x00" } ], "repeated": 0, "id": 10313 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10314 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 10315 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI" } ], "repeated": 0, "id": 10316 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 10317 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI" } ], "repeated": 0, "id": 10318 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10319 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10320 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf2\\x04\\xf2\\xf8\\xf1\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf4\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10321 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10322 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10323 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10324 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xf0\\xbc\\xef\\xb0\\xef\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xf2\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10325 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10326 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 10327 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000688" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 10328 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 10329 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 10330 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000688" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 10331 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 10332 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10333 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10334 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xf1\\xfc\\xf0\\xf0\\xf0\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xf3\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10335 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10336 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10337 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10338 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf2\\x04\\xf2\\xf8\\xf1\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf4\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10339 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10340 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10341 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10342 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xf0\\xbc\\xef\\xb0\\xef\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xf2\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10343 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10344 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10345 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10346 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xf1\\xfc\\xf0\\xf0\\xf0\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xf3\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10347 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10348 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10349 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10350 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xf1\\xfc\\xf0\\xf0\\xf0\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xf3\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10351 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10352 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10353 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10354 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10355 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10356 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10357 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10358 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10359 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10360 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10361 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10362 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xf1\\x9c\\xf1\\x90\\xf1\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xf4\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10363 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10364 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10365 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10366 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf2\\xb4\\xf1\\xa8\\xf1\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf4\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10367 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10368 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10369 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10370 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\x96\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\x96\\x06\\x00\\x00" } ], "repeated": 0, "id": 10371 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10372 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10373 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10374 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\x96\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\x96\\x06\\x00\\x00" } ], "repeated": 0, "id": 10375 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10376 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10377 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10378 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xe6<\\xe60\\xe6\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xe8\\xec\\x04\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 10379 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10380 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10381 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10382 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xe9\\x14\\xe9\\x08\\xe9\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xeb\\xec\\x04\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 10383 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10384 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10385 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10386 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10387 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10388 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10389 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10390 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10391 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10392 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10393 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10394 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10395 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10396 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10397 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10398 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10399 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10400 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10401 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10402 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf2\\x1c\\xf2\\x10\\xf2\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf4\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10403 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10404 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10405 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10406 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xf2\\x94\\xf2\\x88\\xf2\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xf5\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10407 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open\\command" } ], "repeated": 0, "id": 10408 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000688" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000068e" }, { "name": "ObjectAttributesName", "value": "command" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\command" } ], "repeated": 0, "id": 10409 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\command" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10410 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10411 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf2\\x1c\\xf2\\x10\\xf2\\x8a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf4\\xec\\x04\\xbc^\\xb8u\\x8a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10412 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open\\command" } ], "repeated": 0, "id": 10413 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000068a" } ], "repeated": 0, "id": 10414 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10415 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10416 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xf2\\x94\\xf2\\x88\\xf2\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xf5\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10417 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open\\DropTarget" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open\\DropTarget" } ], "repeated": 0, "id": 10418 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000068e" }, { "name": "ObjectAttributesName", "value": "DropTarget" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\DropTarget" } ], "repeated": 0, "id": 10419 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10420 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10421 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf2\\x1c\\xf2\\x10\\xf2\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf4\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10422 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10423 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10424 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10425 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf2\\x14\\xf2\\x08\\xf2\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xf4\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10426 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10427 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 10428 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000688" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" } ], "repeated": 0, "id": 10429 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f78e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 10430 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10431 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10432 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xe9,\\xe9 \\xe9\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xeb\\xec\\x04\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 10433 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10434 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10435 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10436 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf2L\\xf2@\\xf2\\x96\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf4\\xec\\x04\\xbc^\\xb8u\\x96\\x06\\x00\\x00" } ], "repeated": 0, "id": 10437 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10438 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10439 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10440 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x1c\\xf2\\xcc\\xf1\\xc0\\xf1\\x96\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02h\\xf4\\xec\\x04\\xbc^\\xb8u\\x96\\x06\\x00\\x00" } ], "repeated": 0, "id": 10441 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10442 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10443 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10444 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "H\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xd4\\xf2\\x84\\xf2x\\xf2\\x96\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02 \\xf5\\xec\\x04\\xbc^\\xb8u\\x96\\x06\\x00\\x00" } ], "repeated": 0, "id": 10445 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10446 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10447 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10448 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xf2$\\xf2\\x18\\xf2\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf4\\xec\\x04\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 10449 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10450 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10451 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10452 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf1\\xc4\\xf0\\xb8\\xf0\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf3\\xec\\x04\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 10453 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10454 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10455 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10456 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xf2$\\xf2\\x18\\xf2\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf4\\xec\\x04\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 10457 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10458 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10459 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10460 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xf2$\\xf2\\x18\\xf2\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf4\\xec\\x04\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 10461 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10462 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10463 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10464 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf3\\xe4\\xf2\\xd8\\xf2\\x96\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf5\\xec\\x04\\xbc^\\xb8u\\x96\\x06\\x00\\x00" } ], "repeated": 0, "id": 10465 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10466 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10467 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10468 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xf2\\xa4\\xf2\\x98\\xf2\\x96\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xf5\\xec\\x04\\xbc^\\xb8u\\x96\\x06\\x00\\x00" } ], "repeated": 0, "id": 10469 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10470 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10471 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10472 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xf2\\xa4\\xf2\\x98\\xf2\\x96\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xf5\\xec\\x04\\xbc^\\xb8u\\x96\\x06\\x00\\x00" } ], "repeated": 0, "id": 10473 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10474 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10475 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10476 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xe9\\xe4\\xe8\\xd8\\xe8\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xeb\\xec\\x04\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 10477 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10478 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10479 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10480 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xe9\\xc4\\xe8\\xb8\\xe8\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xeb\\xec\\x04\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 10481 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10482 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10483 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10484 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x98\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00$\\xe9\\xd4\\xe8\\xc8\\xe8\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02p\\xeb\\xec\\x04\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 10485 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10486 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10487 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000686" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10488 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xf1\\xbc\\xf0\\xb0\\xf0\\x86\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xf3\\xec\\x04\\xbc^\\xb8u\\x86\\x06\\x00\\x00" } ], "repeated": 0, "id": 10489 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10490 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10491 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10492 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf3\\xc4\\xf2\\xb8\\xf2\\x96\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf5\\xec\\x04\\xbc^\\xb8u\\x96\\x06\\x00\\x00" } ], "repeated": 0, "id": 10493 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10494 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10495 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10496 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf3\\xc4\\xf2\\xb8\\xf2\\x96\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf5\\xec\\x04\\xbc^\\xb8u\\x96\\x06\\x00\\x00" } ], "repeated": 0, "id": 10497 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10498 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10499 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000696" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10500 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x18\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xa4\\xf2T\\xf2H\\xf2\\x96\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf0\\xf4\\xec\\x04\\xbc^\\xb8u\\x96\\x06\\x00\\x00" } ], "repeated": 0, "id": 10501 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10502 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10503 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10504 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x98\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00$\\xf3\\xd4\\xf2\\xc8\\xf2\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02p\\xf5\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10505 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10506 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10507 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10508 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf3\\xc4\\xf2\\xb8\\xf2\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf5\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10509 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10510 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10511 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10512 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf3\\xc4\\xf2\\xb8\\xf2\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf5\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10513 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10514 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10515 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10516 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10517 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10518 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10519 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10520 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10521 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10522 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10523 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10524 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xf1\\x9c\\xf1\\x90\\xf1\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xf4\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10525 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10526 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10527 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10528 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf2\\xb4\\xf1\\xa8\\xf1\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf4\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10529 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10530 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10531 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10532 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\xa6\\x06\\x00\\x00" } ], "repeated": 0, "id": 10533 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10534 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10535 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10536 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\xa6\\x06\\x00\\x00" } ], "repeated": 0, "id": 10537 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10538 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10539 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10540 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xe6<\\xe60\\xe6\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xe8\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10541 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10542 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10543 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10544 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xe9\\x14\\xe9\\x08\\xe9\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xeb\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10545 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10546 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10547 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10548 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10549 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10550 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10551 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10552 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10553 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10554 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10555 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10556 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10557 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10558 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10559 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10560 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10561 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10562 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10563 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10564 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf2\\x1c\\xf2\\x10\\xf2\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf4\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10565 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10566 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10567 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10568 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xf2\\x94\\xf2\\x88\\xf2\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xf5\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10569 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 10570 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000688" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000069e" }, { "name": "ObjectAttributesName", "value": "command" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 10571 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\command" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10572 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10573 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf2\\x1c\\xf2\\x10\\xf2\\x8a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf4\\xec\\x04\\xbc^\\xb8u\\x8a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10574 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 10575 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000068a" } ], "repeated": 0, "id": 10576 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10577 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10578 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xf2\\x94\\xf2\\x88\\xf2\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xf5\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10579 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas\\DropTarget" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\DropTarget" } ], "repeated": 0, "id": 10580 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000069e" }, { "name": "ObjectAttributesName", "value": "DropTarget" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\DropTarget" } ], "repeated": 0, "id": 10581 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10582 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10583 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf2\\x1c\\xf2\\x10\\xf2\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf4\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10584 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10585 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10586 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10587 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf2\\x14\\xf2\\x08\\xf2\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xf4\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10588 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10589 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 10590 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000688" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" } ], "repeated": 0, "id": 10591 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f78e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 10592 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10593 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10594 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xe9,\\xe9 \\xe9\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xeb\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10595 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10596 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x7514aebc", "parentcaller": "0x7514ada2", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000688" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 10597 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x7514af11", "parentcaller": "0x7514ada2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 10598 }, { "timestamp": "2026-06-29 22:15:05,703", "thread_id": "168", "caller": "0x7514a7a0", "parentcaller": "0x75149db4", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000688" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Windows\\System32\\shell32.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10599 }, { "timestamp": "2026-06-29 22:15:05,718", "thread_id": "168", "caller": "0x7514a7a0", "parentcaller": "0x75149db4", "category": "__notification__", "api": "sysenter", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadIdentifier", "value": "168" }, { "name": "Module", "value": "KERNEL32.DLL" }, { "name": "Return Address", "value": "0x751524ac" } ], "repeated": 0, "id": 10600 }, { "timestamp": "2026-06-29 22:15:05,718", "thread_id": "168", "caller": "0x7514a871", "parentcaller": "0x75149db4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 10601 }, { "timestamp": "2026-06-29 22:15:05,718", "thread_id": "168", "caller": "0x76f62db9", "parentcaller": "0x76f62a84", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000008", "pretty_value": "KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\AssemblyStorageRoots" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\AssemblyStorageRoots" } ], "repeated": 0, "id": 10602 }, { "timestamp": "2026-06-29 22:15:05,718", "thread_id": "168", "caller": "0x76f63262", "parentcaller": "0x76f631d7", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe.Local\\" } ], "repeated": 0, "id": 10603 }, { "timestamp": "2026-06-29 22:15:05,718", "thread_id": "168", "caller": "0x76f630dc", "parentcaller": "0x76f62b6b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000688" }, { "name": "DesiredAccess", "value": "0x00100020", "pretty_value": "FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 10604 }, { "timestamp": "2026-06-29 22:15:05,718", "thread_id": "168", "caller": "0x76f63262", "parentcaller": "0x76f457a5", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\imageres.dll" } ], "repeated": 0, "id": 10605 }, { "timestamp": "2026-06-29 22:15:05,718", "thread_id": "168", "caller": "0x76f63262", "parentcaller": "0x76f457a5", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 0, "id": 10606 }, { "timestamp": "2026-06-29 22:15:05,718", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000674" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10607 }, { "timestamp": "2026-06-29 22:15:05,718", "thread_id": "168", "caller": "0x75b8f828", "parentcaller": "0x75b90c3e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006b8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000674" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\imageres.dll" } ], "repeated": 0, "id": 10608 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b90c83", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006b8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05720000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10609 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b90ce9", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10610 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b90cf5", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b8" } ], "repeated": 0, "id": 10611 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f392db", "parentcaller": "0x76f39742", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10612 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f3978c", "parentcaller": "0x76f3926e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000674" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006b8" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 10613 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f397b4", "parentcaller": "0x76f3926e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000674" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06e10000" }, { "name": "SectionOffset", "value": "0x04ece730" }, { "name": "ViewSize", "value": "0x013ac000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10614 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f397c4", "parentcaller": "0x76f3926e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 10615 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10616 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76240000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10617 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74040000" }, { "name": "ModuleName", "value": "comctl32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10618 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74040000" }, { "name": "ModuleName", "value": "comctl32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10619 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10620 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10621 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf2L\\xf2@\\xf2\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf4\\xec\\x04\\xbc^\\xb8u\\xa6\\x06\\x00\\x00" } ], "repeated": 0, "id": 10622 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10623 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10624 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10625 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x1c\\xf2\\xcc\\xf1\\xc0\\xf1\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02h\\xf4\\xec\\x04\\xbc^\\xb8u\\xa6\\x06\\x00\\x00" } ], "repeated": 0, "id": 10626 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10627 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10628 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10629 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "H\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xd4\\xf2\\x84\\xf2x\\xf2\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02 \\xf5\\xec\\x04\\xbc^\\xb8u\\xa6\\x06\\x00\\x00" } ], "repeated": 0, "id": 10630 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10631 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10632 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10633 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xf2$\\xf2\\x18\\xf2\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf4\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10634 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10635 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10636 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10637 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf1\\xc4\\xf0\\xb8\\xf0\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf3\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10638 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10639 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10640 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10641 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xf2$\\xf2\\x18\\xf2\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf4\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10642 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10643 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10644 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10645 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xf2$\\xf2\\x18\\xf2\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf4\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10646 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10647 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10648 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10649 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf3\\xe4\\xf2\\xd8\\xf2\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf5\\xec\\x04\\xbc^\\xb8u\\xa6\\x06\\x00\\x00" } ], "repeated": 0, "id": 10650 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10651 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10652 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10653 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xf2\\xa4\\xf2\\x98\\xf2\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xf5\\xec\\x04\\xbc^\\xb8u\\xa6\\x06\\x00\\x00" } ], "repeated": 0, "id": 10654 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10655 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10656 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10657 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xf2\\xa4\\xf2\\x98\\xf2\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xf5\\xec\\x04\\xbc^\\xb8u\\xa6\\x06\\x00\\x00" } ], "repeated": 0, "id": 10658 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10659 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10660 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10661 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xe9\\xe4\\xe8\\xd8\\xe8\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xeb\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10662 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10663 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10664 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10665 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xe9\\xc4\\xe8\\xb8\\xe8\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xeb\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10666 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10667 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10668 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10669 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x98\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00$\\xe9\\xd4\\xe8\\xc8\\xe8\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02p\\xeb\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10670 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10671 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10672 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10673 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xf1\\xbc\\xf0\\xb0\\xf0\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xf3\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 10674 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10675 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10676 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10677 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf3\\xc4\\xf2\\xb8\\xf2\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf5\\xec\\x04\\xbc^\\xb8u\\xa6\\x06\\x00\\x00" } ], "repeated": 0, "id": 10678 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10679 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10680 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10681 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf3\\xc4\\xf2\\xb8\\xf2\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf5\\xec\\x04\\xbc^\\xb8u\\xa6\\x06\\x00\\x00" } ], "repeated": 0, "id": 10682 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10683 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10684 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10685 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x18\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xa4\\xf2T\\xf2H\\xf2\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf0\\xf4\\xec\\x04\\xbc^\\xb8u\\xa6\\x06\\x00\\x00" } ], "repeated": 0, "id": 10686 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10687 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10688 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10689 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x98\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00$\\xf3\\xd4\\xf2\\xc8\\xf2\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02p\\xf5\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10690 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10691 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10692 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10693 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf3\\xc4\\xf2\\xb8\\xf2\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf5\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10694 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10695 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10696 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10697 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf3\\xc4\\xf2\\xb8\\xf2\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf5\\xec\\x04\\xbc^\\xb8u\\x9e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10698 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 10699 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10700 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10701 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xae\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xae\\x06\\x00\\x00" } ], "repeated": 0, "id": 10702 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10703 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10704 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10705 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xae\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xae\\x06\\x00\\x00" } ], "repeated": 0, "id": 10706 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10707 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10708 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10709 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xf1\\x9c\\xf1\\x90\\xf1\\xae\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xf4\\xec\\x04\\xbc^\\xb8u\\xae\\x06\\x00\\x00" } ], "repeated": 0, "id": 10710 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10711 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10712 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10713 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf2\\xb4\\xf1\\xa8\\xf1\\xae\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf4\\xec\\x04\\xbc^\\xb8u\\xae\\x06\\x00\\x00" } ], "repeated": 0, "id": 10714 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10715 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006b6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10716 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006b6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10717 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\xb6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\xb6\\x06\\x00\\x00" } ], "repeated": 0, "id": 10718 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10719 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006b6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10720 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006b6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10721 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\xb6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\xb6\\x06\\x00\\x00" } ], "repeated": 0, "id": 10722 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10723 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006aa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10724 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006aa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10725 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xe6<\\xe60\\xe6\\xaa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xe8\\xec\\x04\\xbc^\\xb8u\\xaa\\x06\\x00\\x00" } ], "repeated": 0, "id": 10726 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10727 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006aa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10728 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006aa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10729 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xe9\\x14\\xe9\\x08\\xe9\\xaa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xeb\\xec\\x04\\xbc^\\xb8u\\xaa\\x06\\x00\\x00" } ], "repeated": 0, "id": 10730 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10731 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10732 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ae" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10733 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xae\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xae\\x06\\x00\\x00" } ], "repeated": 0, "id": 10734 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runasuser" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser" } ], "repeated": 0, "id": 10735 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10736 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000068e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10737 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf3\\xc4\\xf2\\xb8\\xf2\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf5\\xec\\x04\\xbc^\\xb8u\\x8e\\x06\\x00\\x00" } ], "repeated": 0, "id": 10738 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open" } ], "repeated": 0, "id": 10739 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b83595", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 10740 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86683", "parentcaller": "0x75b83600", "category": "registry", "api": "NtCreateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "Class", "value": "" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 10741 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86ba5", "parentcaller": "0x75b8341e", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006bc" }, { "name": "ValueName", "value": "SlowContextMenuEntries" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Buffer", "value": "`$\\xb2!\\xea:i\\x10\\xa2\\xdc\\x08\\x00+00\\x9d\\x87\\x01\\x00\\x00\\xbd\\x0e\\x0cGs]XM\\x9c\\xed\\xe9\\x1e\"\\xe22\\x822\\x02\\x00\\x00\\x01\\x14\\x02\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00FR\\x02\\x00\\x00N:\\xaa\\x90\\xba\\x1c3B\\xb8\\xbbSWs\\xd4\\x84I)\\x01\\x00\\x00@\\xc7\\xa4{\\x81\\x9e\\xcf\\x11\\x99\\xd3\\x00\\xaa\\x00J\\xe87\\xaf\n\\x00\\x00" }, { "name": "BufferLength", "value": "100" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SlowContextMenuEntries" } ], "repeated": 0, "id": 10742 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764a16ea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 10743 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7652844f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006bc" } ], "repeated": 0, "id": 10744 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 10745 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7652844f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 10746 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 10747 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10748 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10749 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 10750 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 10751 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10752 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10753 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xee$\\xee\\x18\\xee\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf0\\xec\\x04\\xbc^\\xb8u\\xbe\\x06\\x00\\x00" } ], "repeated": 0, "id": 10754 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 10755 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006be" } ], "repeated": 0, "id": 10756 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10757 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003fe" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10758 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x08\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x94\\xf5D\\xf58\\xf5\\xfe\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xe0\\xf7\\xec\\x04\\xbc^\\xb8u\\xfe\\x03\\x00\\x00" } ], "repeated": 0, "id": 10759 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 10760 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000003fe" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\" } ], "repeated": 0, "id": 10761 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76469f12", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006be" } ], "repeated": 0, "id": 10762 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10763 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10764 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xf5<\\xf50\\xf5\n\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xd8\\xf7\\xec\\x04\\xbc^\\xb8u\n\\x04\\x00\\x00" } ], "repeated": 0, "id": 10765 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 10766 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000040a" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\" } ], "repeated": 0, "id": 10767 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10768 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10769 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5\n\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u\n\\x04\\x00\\x00" } ], "repeated": 0, "id": 10770 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 10771 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 10772 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10773 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10774 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" } ], "repeated": 0, "id": 10775 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000674" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" } ], "repeated": 0, "id": 10776 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10777 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10778 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf4v\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8uv\\x06\\x00\\x00" } ], "repeated": 0, "id": 10779 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" } ], "repeated": 0, "id": 10780 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000676" } ], "repeated": 0, "id": 10781 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10782 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10783 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf3\\x04\\xf3\\xf8\\xf2\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf5\\xec\\x04\\xbc^\\xb8u\\xbe\\x06\\x00\\x00" } ], "repeated": 0, "id": 10784 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 10785 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10786 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10787 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf3\\x04\\xf3\\xf8\\xf2\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf5\\xec\\x04\\xbc^\\xb8u\\xbe\\x06\\x00\\x00" } ], "repeated": 0, "id": 10788 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 10789 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x74850991", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 10790 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x74850991", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "Milliseconds", "value": "150" } ], "repeated": 0, "id": 10791 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10792 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10793 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\\\xf3\\x0c\\xf3\\x00\\xf3\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xa8\\xf5\\xec\\x04\\xbc^\\xb8u\\xbe\\x06\\x00\\x00" } ], "repeated": 0, "id": 10794 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\SystemFileAssociations\\.exe\\Shell" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\Shell" } ], "repeated": 0, "id": 10795 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000006be" }, { "name": "ObjectAttributesName", "value": "Shell" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\Shell" } ], "repeated": 0, "id": 10796 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76469f12", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006be" } ], "repeated": 0, "id": 10797 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7652844f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006bc" } ], "repeated": 0, "id": 10798 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 10799 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7652844f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 10800 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 10801 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10802 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10803 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 10804 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 10805 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10806 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10807 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xee$\\xee\\x18\\xee\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf0\\xec\\x04\\xbc^\\xb8u\\xbe\\x06\\x00\\x00" } ], "repeated": 0, "id": 10808 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 10809 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006be" } ], "repeated": 0, "id": 10810 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Kind.program" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10811 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10812 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x08\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x94\\xf5D\\xf58\\xf5\\x12\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xe0\\xf7\\xec\\x04\\xbc^\\xb8u\\x12\\x04\\x00\\x00" } ], "repeated": 0, "id": 10813 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Kind.program" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program" } ], "repeated": 0, "id": 10814 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000412" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Kind.program\\" } ], "repeated": 0, "id": 10815 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76469f12", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006be" } ], "repeated": 0, "id": 10816 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000416" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Kind.program" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10817 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000416" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10818 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xf5<\\xf50\\xf5\\x16\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xd8\\xf7\\xec\\x04\\xbc^\\xb8u\\x16\\x04\\x00\\x00" } ], "repeated": 0, "id": 10819 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Kind.program" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program" } ], "repeated": 0, "id": 10820 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000416" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Kind.program\\" } ], "repeated": 0, "id": 10821 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000416" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Kind.program" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10822 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000416" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10823 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5\\x16\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u\\x16\\x04\\x00\\x00" } ], "repeated": 0, "id": 10824 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Kind.program" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program" } ], "repeated": 0, "id": 10825 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 10826 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10827 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10828 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" } ], "repeated": 0, "id": 10829 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000674" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" } ], "repeated": 0, "id": 10830 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10831 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10832 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf4v\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8uv\\x06\\x00\\x00" } ], "repeated": 0, "id": 10833 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" } ], "repeated": 0, "id": 10834 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000676" } ], "repeated": 0, "id": 10835 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Kind.program" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10836 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10837 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf3\\x04\\xf3\\xf8\\xf2\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf5\\xec\\x04\\xbc^\\xb8u\\xbe\\x06\\x00\\x00" } ], "repeated": 0, "id": 10838 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Kind.program" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program" } ], "repeated": 0, "id": 10839 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Kind.program" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10840 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10841 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf3\\x04\\xf3\\xf8\\xf2\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf5\\xec\\x04\\xbc^\\xb8u\\xbe\\x06\\x00\\x00" } ], "repeated": 0, "id": 10842 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Kind.program" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program" } ], "repeated": 0, "id": 10843 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Kind.program" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10844 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10845 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\\\xf3\\x0c\\xf3\\x00\\xf3\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xa8\\xf5\\xec\\x04\\xbc^\\xb8u\\xbe\\x06\\x00\\x00" } ], "repeated": 0, "id": 10846 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\Kind.program\\Shell" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program\\Shell" } ], "repeated": 0, "id": 10847 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000006be" }, { "name": "ObjectAttributesName", "value": "Shell" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Kind.program\\Shell" } ], "repeated": 0, "id": 10848 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76469f12", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006be" } ], "repeated": 0, "id": 10849 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7652844f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006bc" } ], "repeated": 0, "id": 10850 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 10851 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7652844f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 10852 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 10853 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10854 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10855 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 10856 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 10857 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10858 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10859 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xee$\\xee\\x18\\xee\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf0\\xec\\x04\\xbc^\\xb8u\\xbe\\x06\\x00\\x00" } ], "repeated": 0, "id": 10860 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 10861 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006be" } ], "repeated": 0, "id": 10862 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10863 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10864 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x08\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x94\\xf5D\\xf58\\xf5\\x1a\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xe0\\xf7\\xec\\x04\\xbc^\\xb8u\\x1a\\x04\\x00\\x00" } ], "repeated": 0, "id": 10865 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 10866 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000041a" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\" } ], "repeated": 0, "id": 10867 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76469f12", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006be" } ], "repeated": 0, "id": 10868 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10869 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10870 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xf5<\\xf50\\xf5\\x1e\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xd8\\xf7\\xec\\x04\\xbc^\\xb8u\\x1e\\x04\\x00\\x00" } ], "repeated": 0, "id": 10871 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 10872 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000041e" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\" } ], "repeated": 0, "id": 10873 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10874 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10875 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5\\x1e\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u\\x1e\\x04\\x00\\x00" } ], "repeated": 0, "id": 10876 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 10877 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 10878 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10879 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10880 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" } ], "repeated": 0, "id": 10881 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000674" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" } ], "repeated": 0, "id": 10882 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10883 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10884 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf4v\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8uv\\x06\\x00\\x00" } ], "repeated": 0, "id": 10885 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" } ], "repeated": 0, "id": 10886 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000676" } ], "repeated": 0, "id": 10887 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10888 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10889 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf3\\x04\\xf3\\xf8\\xf2\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf5\\xec\\x04\\xbc^\\xb8u\\xbe\\x06\\x00\\x00" } ], "repeated": 0, "id": 10890 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 10891 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10892 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10893 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf3\\x04\\xf3\\xf8\\xf2\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf5\\xec\\x04\\xbc^\\xb8u\\xbe\\x06\\x00\\x00" } ], "repeated": 0, "id": 10894 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 10895 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x74850991", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 10896 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x74850991", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "Milliseconds", "value": "150" } ], "repeated": 0, "id": 10897 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10898 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10899 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\\\xf3\\x0c\\xf3\\x00\\xf3\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xa8\\xf5\\xec\\x04\\xbc^\\xb8u\\xbe\\x06\\x00\\x00" } ], "repeated": 0, "id": 10900 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\Shell" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\Shell" } ], "repeated": 0, "id": 10901 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000674" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000006be" }, { "name": "ObjectAttributesName", "value": "Shell" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\Shell" } ], "repeated": 0, "id": 10902 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10903 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10904 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x84\\xef4\\xef(\\xefv\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd0\\xf1\\xec\\x04\\xbc^\\xb8uv\\x06\\x00\\x00" } ], "repeated": 0, "id": 10905 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell" } ], "repeated": 0, "id": 10906 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10907 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10908 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xec\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xed\\xb4\\xec\\xa8\\xec\\x1a\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00P\\xef\\xec\\x04\\xbc^\\xb8u\\x1a\\x04\\x00\\x00" } ], "repeated": 0, "id": 10909 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\open" } ], "repeated": 0, "id": 10910 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000041a" }, { "name": "ObjectAttributesName", "value": "shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\open" } ], "repeated": 0, "id": 10911 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b81962", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10912 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10913 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xef\\x04\\xef\\xf8\\xeev\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf1\\xec\\x04\\xbc^\\xb8uv\\x06\\x00\\x00" } ], "repeated": 0, "id": 10914 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell" } ], "repeated": 0, "id": 10915 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b823a7", "parentcaller": "0x75b82302", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 10916 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10917 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10918 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xef<\\xef0\\xef\\x1a\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xd8\\xf1\\xec\\x04\\xbc^\\xb8u\\x1a\\x04\\x00\\x00" } ], "repeated": 0, "id": 10919 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 10920 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000041a" }, { "name": "ObjectAttributesName", "value": "shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 10921 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10922 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10923 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf2\\xe4\\xf1\\xd8\\xf1\\xc2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x80\\xf4\\xec\\x04\\xbc^\\xb8u\\xc2\\x06\\x00\\x00" } ], "repeated": 0, "id": 10924 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 10925 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000006c2" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties\\" } ], "repeated": 0, "id": 10926 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10927 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10928 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf1\\x14\\xf1\\x08\\xf1\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xb0\\xf3\\xec\\x04\\xbc^\\xb8u\\xbe\\x06\\x00\\x00" } ], "repeated": 0, "id": 10929 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 10930 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000006be" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\" } ], "repeated": 0, "id": 10931 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10932 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10933 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf1L\\xf1@\\xf1\\xc2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\xe8\\xf3\\xec\\x04\\xbc^\\xb8u\\xc2\\x06\\x00\\x00" } ], "repeated": 0, "id": 10934 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 10935 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006cc" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x000006c2" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties\\" } ], "repeated": 0, "id": 10936 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10937 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10938 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xef<\\xef0\\xef\\xc2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xf1\\xec\\x04\\xbc^\\xb8u\\xc2\\x06\\x00\\x00" } ], "repeated": 0, "id": 10939 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 10940 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b823a7", "parentcaller": "0x75b82302", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 10941 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10942 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10943 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xef<\\xef0\\xef\\x1a\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xd8\\xf1\\xec\\x04\\xbc^\\xb8u\\x1a\\x04\\x00\\x00" } ], "repeated": 0, "id": 10944 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 10945 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000041a" }, { "name": "ObjectAttributesName", "value": "shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 10946 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10947 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10948 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf2\\xe4\\xf1\\xd8\\xf1\\xd2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x80\\xf4\\xec\\x04\\xbc^\\xb8u\\xd2\\x06\\x00\\x00" } ], "repeated": 0, "id": 10949 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 10950 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000006d2" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas\\" } ], "repeated": 0, "id": 10951 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10952 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10953 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf1\\x14\\xf1\\x08\\xf1\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xb0\\xf3\\xec\\x04\\xbc^\\xb8u\\xbe\\x06\\x00\\x00" } ], "repeated": 0, "id": 10954 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 10955 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000006be" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\" } ], "repeated": 0, "id": 10956 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10957 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10958 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf1L\\xf1@\\xf1\\xd2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\xe8\\xf3\\xec\\x04\\xbc^\\xb8u\\xd2\\x06\\x00\\x00" } ], "repeated": 0, "id": 10959 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 10960 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006dc" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x000006d2" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas\\" } ], "repeated": 0, "id": 10961 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10962 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10963 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xef<\\xef0\\xef\\xd2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xf1\\xec\\x04\\xbc^\\xb8u\\xd2\\x06\\x00\\x00" } ], "repeated": 0, "id": 10964 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 10965 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b823a7", "parentcaller": "0x75b82302", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 10966 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10967 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000041a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10968 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xef<\\xef0\\xef\\x1a\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xd8\\xf1\\xec\\x04\\xbc^\\xb8u\\x1a\\x04\\x00\\x00" } ], "repeated": 0, "id": 10969 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 10970 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000041a" }, { "name": "ObjectAttributesName", "value": "shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 10971 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10972 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10973 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf2\\xe4\\xf1\\xd8\\xf1\\xe2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x80\\xf4\\xec\\x04\\xbc^\\xb8u\\xe2\\x06\\x00\\x00" } ], "repeated": 0, "id": 10974 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 10975 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000006e2" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\" } ], "repeated": 0, "id": 10976 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10977 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006be" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10978 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf1\\x14\\xf1\\x08\\xf1\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xb0\\xf3\\xec\\x04\\xbc^\\xb8u\\xbe\\x06\\x00\\x00" } ], "repeated": 0, "id": 10979 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*" } ], "repeated": 0, "id": 10980 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000006be" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\" } ], "repeated": 0, "id": 10981 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10982 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10983 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf1L\\xf1@\\xf1\\xe2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\xe8\\xf3\\xec\\x04\\xbc^\\xb8u\\xe2\\x06\\x00\\x00" } ], "repeated": 0, "id": 10984 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 10985 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ec" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x000006e2" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\" } ], "repeated": 0, "id": 10986 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10987 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10988 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xef<\\xef0\\xef\\xe2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xf1\\xec\\x04\\xbc^\\xb8u\\xe2\\x06\\x00\\x00" } ], "repeated": 0, "id": 10989 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 10990 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b823a7", "parentcaller": "0x75b82302", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 10991 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7641d7c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000676" } ], "repeated": 0, "id": 10992 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10993 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10994 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf2\\x04\\xf2\\xf8\\xf1\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf4\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 10995 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 10996 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 10997 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 10998 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xf0\\xbc\\xef\\xb0\\xef\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xf2\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 10999 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11000 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11001 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11002 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xf1\\xfc\\xf0\\xf0\\xf0\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xf3\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11003 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11004 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11005 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11006 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xf1\\xfc\\xf0\\xf0\\xf0\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xf3\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11007 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11008 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11009 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11010 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf2\\x04\\xf2\\xf8\\xf1\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf4\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11011 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11012 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11013 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11014 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xf0\\xbc\\xef\\xb0\\xef\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xf2\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11015 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11016 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11017 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11018 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xf1\\xfc\\xf0\\xf0\\xf0\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xf3\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11019 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11020 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11021 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11022 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf2\\x04\\xf2\\xf8\\xf1\\xc6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf4\\xec\\x04\\xbc^\\xb8u\\xc6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11023 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11024 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11025 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11026 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xf0\\xbc\\xef\\xb0\\xef\\xc6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xf2\\xec\\x04\\xbc^\\xb8u\\xc6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11027 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11028 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11029 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11030 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xf1\\xfc\\xf0\\xf0\\xf0\\xc6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xf3\\xec\\x04\\xbc^\\xb8u\\xc6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11031 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11032 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11033 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11034 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xf1\\xfc\\xf0\\xf0\\xf0\\xc6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xf3\\xec\\x04\\xbc^\\xb8u\\xc6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11035 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11036 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11037 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11038 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xc6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xc6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11039 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11040 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11041 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11042 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xc6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xc6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11043 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11044 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11045 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11046 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xf1\\x9c\\xf1\\x90\\xf1\\xc6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xf4\\xec\\x04\\xbc^\\xb8u\\xc6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11047 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11048 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11049 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11050 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf2\\xb4\\xf1\\xa8\\xf1\\xc6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf4\\xec\\x04\\xbc^\\xb8u\\xc6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11051 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11052 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11053 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11054 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\xce\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\xce\\x06\\x00\\x00" } ], "repeated": 0, "id": 11055 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11056 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11057 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ce" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11058 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\xce\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\xce\\x06\\x00\\x00" } ], "repeated": 0, "id": 11059 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11060 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11061 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11062 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xe6<\\xe60\\xe6\\xc2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xe8\\xec\\x04\\xbc^\\xb8u\\xc2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11063 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11064 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11065 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11066 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xe9\\x14\\xe9\\x08\\xe9\\xc2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xeb\\xec\\x04\\xbc^\\xb8u\\xc2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11067 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11068 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11069 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11070 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xc6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xc6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11071 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11072 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11073 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11074 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xc6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xc6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11075 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11076 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11077 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11078 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xc6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xc6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11079 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11080 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11081 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11082 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xc6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xc6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11083 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\removeproperties" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties" } ], "repeated": 0, "id": 11084 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11085 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11086 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11087 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11088 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11089 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11090 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11091 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11092 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11093 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11094 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xf1\\x9c\\xf1\\x90\\xf1\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xf4\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11095 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11096 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11097 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11098 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf2\\xb4\\xf1\\xa8\\xf1\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf4\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11099 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11100 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11101 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11102 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\xde\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\xde\\x06\\x00\\x00" } ], "repeated": 0, "id": 11103 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11104 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11105 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11106 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\xde\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\xde\\x06\\x00\\x00" } ], "repeated": 0, "id": 11107 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11108 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11109 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11110 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xe6<\\xe60\\xe6\\xd2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xe8\\xec\\x04\\xbc^\\xb8u\\xd2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11111 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11112 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11113 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11114 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xe9\\x14\\xe9\\x08\\xe9\\xd2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xeb\\xec\\x04\\xbc^\\xb8u\\xd2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11115 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11116 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11117 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11118 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11119 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11120 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11121 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11122 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11123 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11124 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11125 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11126 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11127 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11128 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11129 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11130 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11131 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11132 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11133 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11134 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf2\\x1c\\xf2\\x10\\xf2\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf4\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11135 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11136 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11137 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11138 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xf2\\x94\\xf2\\x88\\xf2\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xf5\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11139 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas\\command" } ], "repeated": 0, "id": 11140 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000674" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000006d6" }, { "name": "ObjectAttributesName", "value": "command" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas\\command" } ], "repeated": 0, "id": 11141 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas\\command" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11142 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11143 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf2\\x1c\\xf2\\x10\\xf2v\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf4\\xec\\x04\\xbc^\\xb8uv\\x06\\x00\\x00" } ], "repeated": 0, "id": 11144 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas\\command" } ], "repeated": 0, "id": 11145 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000676" } ], "repeated": 0, "id": 11146 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11147 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11148 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xf2\\x94\\xf2\\x88\\xf2\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xf5\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11149 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas\\DropTarget" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas\\DropTarget" } ], "repeated": 0, "id": 11150 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000006d6" }, { "name": "ObjectAttributesName", "value": "DropTarget" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas\\DropTarget" } ], "repeated": 0, "id": 11151 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11152 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11153 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf2\\x1c\\xf2\\x10\\xf2\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf4\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11154 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11155 }, { "timestamp": "2026-06-29 22:15:05,734", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11156 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11157 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf2\\x14\\xf2\\x08\\xf2\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xf4\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11158 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11159 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11160 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" } ], "repeated": 0, "id": 11161 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f78e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f0" } ], "repeated": 0, "id": 11162 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11163 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11164 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xe9,\\xe9 \\xe9\\xd2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xeb\\xec\\x04\\xbc^\\xb8u\\xd2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11165 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11166 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11167 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11168 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf2L\\xf2@\\xf2\\xde\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf4\\xec\\x04\\xbc^\\xb8u\\xde\\x06\\x00\\x00" } ], "repeated": 0, "id": 11169 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11170 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11171 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11172 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x1c\\xf2\\xcc\\xf1\\xc0\\xf1\\xde\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02h\\xf4\\xec\\x04\\xbc^\\xb8u\\xde\\x06\\x00\\x00" } ], "repeated": 0, "id": 11173 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11174 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11175 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11176 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "H\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xd4\\xf2\\x84\\xf2x\\xf2\\xde\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02 \\xf5\\xec\\x04\\xbc^\\xb8u\\xde\\x06\\x00\\x00" } ], "repeated": 0, "id": 11177 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11178 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11179 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11180 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xf2$\\xf2\\x18\\xf2\\xd2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf4\\xec\\x04\\xbc^\\xb8u\\xd2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11181 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11182 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11183 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11184 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf1\\xc4\\xf0\\xb8\\xf0\\xd2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf3\\xec\\x04\\xbc^\\xb8u\\xd2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11185 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11186 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11187 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11188 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xf2$\\xf2\\x18\\xf2\\xd2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf4\\xec\\x04\\xbc^\\xb8u\\xd2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11189 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11190 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11191 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11192 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xf2$\\xf2\\x18\\xf2\\xd2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf4\\xec\\x04\\xbc^\\xb8u\\xd2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11193 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11194 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11195 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11196 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf3\\xe4\\xf2\\xd8\\xf2\\xde\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf5\\xec\\x04\\xbc^\\xb8u\\xde\\x06\\x00\\x00" } ], "repeated": 0, "id": 11197 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11198 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11199 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11200 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xf2\\xa4\\xf2\\x98\\xf2\\xde\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xf5\\xec\\x04\\xbc^\\xb8u\\xde\\x06\\x00\\x00" } ], "repeated": 0, "id": 11201 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11202 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11203 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11204 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "h\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xf4\\xf2\\xa4\\xf2\\x98\\xf2\\xde\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02@\\xf5\\xec\\x04\\xbc^\\xb8u\\xde\\x06\\x00\\x00" } ], "repeated": 0, "id": 11205 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11206 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11207 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11208 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xe9\\xe4\\xe8\\xd8\\xe8\\xd2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xeb\\xec\\x04\\xbc^\\xb8u\\xd2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11209 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11210 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11211 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11212 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xe9\\xc4\\xe8\\xb8\\xe8\\xd2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xeb\\xec\\x04\\xbc^\\xb8u\\xd2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11213 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11214 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11215 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11216 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x98\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00$\\xe9\\xd4\\xe8\\xc8\\xe8\\xd2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02p\\xeb\\xec\\x04\\xbc^\\xb8u\\xd2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11217 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11218 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11219 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11220 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xf1\\xbc\\xf0\\xb0\\xf0\\xd2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xf3\\xec\\x04\\xbc^\\xb8u\\xd2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11221 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11222 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11223 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11224 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf3\\xc4\\xf2\\xb8\\xf2\\xde\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf5\\xec\\x04\\xbc^\\xb8u\\xde\\x06\\x00\\x00" } ], "repeated": 0, "id": 11225 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11226 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11227 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11228 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf3\\xc4\\xf2\\xb8\\xf2\\xde\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf5\\xec\\x04\\xbc^\\xb8u\\xde\\x06\\x00\\x00" } ], "repeated": 0, "id": 11229 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11230 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11231 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006de" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11232 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x18\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xa4\\xf2T\\xf2H\\xf2\\xde\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf0\\xf4\\xec\\x04\\xbc^\\xb8u\\xde\\x06\\x00\\x00" } ], "repeated": 0, "id": 11233 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11234 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11235 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11236 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x98\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00$\\xf3\\xd4\\xf2\\xc8\\xf2\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02p\\xf5\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11237 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11238 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11239 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11240 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf3\\xc4\\xf2\\xb8\\xf2\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf5\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11241 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11242 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11243 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11244 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf3\\xc4\\xf2\\xb8\\xf2\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf5\\xec\\x04\\xbc^\\xb8u\\xd6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11245 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas" } ], "repeated": 0, "id": 11246 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11247 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11248 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11249 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11250 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11251 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11252 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11253 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11254 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11255 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11256 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xf1\\x9c\\xf1\\x90\\xf1\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xf4\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11257 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11258 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11259 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11260 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf2\\xb4\\xf1\\xa8\\xf1\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf4\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11261 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11262 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11263 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11264 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\xee\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\xee\\x06\\x00\\x00" } ], "repeated": 0, "id": 11265 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11266 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11267 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11268 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\xee\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\xee\\x06\\x00\\x00" } ], "repeated": 0, "id": 11269 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11270 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11271 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11272 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xe6<\\xe60\\xe6\\xe2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xe8\\xec\\x04\\xbc^\\xb8u\\xe2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11273 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11274 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11275 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11276 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11277 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000008", "pretty_value": "KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "*\\shell\\UpdateEncryptionSettingsWork\\Shell" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\Shell" } ], "repeated": 0, "id": 11278 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f0" }, { "name": "DesiredAccess", "value": "0x00000008", "pretty_value": "KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\Shell" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\Shell" } ], "repeated": 0, "id": 11279 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11280 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11281 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x749542c0", "parentcaller": "0x7483935c", "category": "registry", "api": "RegEnumKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "Decrypt" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\Shell\\Decrypt" } ], "repeated": 0, "id": 11282 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x749542d3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" } ], "repeated": 0, "id": 11283 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11284 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11285 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xe9\\x14\\xe9\\x08\\xe9\\xe2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xeb\\xec\\x04\\xbc^\\xb8u\\xe2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11286 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11287 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11288 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11289 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11290 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11291 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11292 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11293 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11294 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11295 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11296 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11297 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11298 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11299 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11300 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11301 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11302 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11303 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11304 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11305 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf2\\x1c\\xf2\\x10\\xf2\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf4\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11306 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11307 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11308 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11309 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xf2\\x94\\xf2\\x88\\xf2\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xf5\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11310 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\command" } ], "repeated": 0, "id": 11311 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000006e6" }, { "name": "ObjectAttributesName", "value": "command" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\command" } ], "repeated": 0, "id": 11312 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11313 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11314 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xf2\\x94\\xf2\\x88\\xf2\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xf5\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11315 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork\\DropTarget" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\DropTarget" } ], "repeated": 0, "id": 11316 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000006e6" }, { "name": "ObjectAttributesName", "value": "DropTarget" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\DropTarget" } ], "repeated": 0, "id": 11317 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11318 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11319 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00l\\xf2\\x1c\\xf2\\x10\\xf2\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb8\\xf4\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11320 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11321 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11322 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11323 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf2\\x14\\xf2\\x08\\xf2\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xf4\\xec\\x04\\xbc^\\xb8u\\xe6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11324 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11325 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11326 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" } ], "repeated": 0, "id": 11327 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f78e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f0" } ], "repeated": 0, "id": 11328 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11329 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" } ], "repeated": 0, "id": 11330 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f78aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f0" } ], "repeated": 0, "id": 11331 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11332 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11333 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xe9,\\xe9 \\xe9\\xe2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xeb\\xec\\x04\\xbc^\\xb8u\\xe2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11334 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11335 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11336 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11337 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf2L\\xf2@\\xf2\\xee\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xf4\\xec\\x04\\xbc^\\xb8u\\xee\\x06\\x00\\x00" } ], "repeated": 0, "id": 11338 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11339 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11340 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11341 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "H\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xd4\\xf2\\x84\\xf2x\\xf2\\xee\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02 \\xf5\\xec\\x04\\xbc^\\xb8u\\xee\\x06\\x00\\x00" } ], "repeated": 0, "id": 11342 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11343 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11344 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11345 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xf2$\\xf2\\x18\\xf2\\xe2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf4\\xec\\x04\\xbc^\\xb8u\\xe2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11346 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11347 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11348 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11349 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf1\\xc4\\xf0\\xb8\\xf0\\xe2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf3\\xec\\x04\\xbc^\\xb8u\\xe2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11350 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11351 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11352 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11353 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xf2$\\xf2\\x18\\xf2\\xe2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf4\\xec\\x04\\xbc^\\xb8u\\xe2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11354 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11355 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11356 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006e2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11357 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xf2$\\xf2\\x18\\xf2\\xe2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf4\\xec\\x04\\xbc^\\xb8u\\xe2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11358 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11359 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11360 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11361 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf3\\xe4\\xf2\\xd8\\xf2\\xee\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf5\\xec\\x04\\xbc^\\xb8u\\xee\\x06\\x00\\x00" } ], "repeated": 0, "id": 11362 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11363 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11364 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11365 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xf2t\\xf2h\\xf2\\xee\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xf5\\xec\\x04\\xbc^\\xb8u\\xee\\x06\\x00\\x00" } ], "repeated": 0, "id": 11366 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11367 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11368 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11369 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xf2t\\xf2h\\xf2\\xee\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10\\xf5\\xec\\x04\\xbc^\\xb8u\\xee\\x06\\x00\\x00" } ], "repeated": 0, "id": 11370 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11371 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11372 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11373 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf3\\xc4\\xf2\\xb8\\xf2\\xee\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xf5\\xec\\x04\\xbc^\\xb8u\\xee\\x06\\x00\\x00" } ], "repeated": 0, "id": 11374 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\*\\shell\\UpdateEncryptionSettingsWork" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork" } ], "repeated": 0, "id": 11375 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x764554ae", "parentcaller": "0x7652844f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006f0" } ], "repeated": 0, "id": 11376 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x7641ab79", "parentcaller": "0x764554e1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 11377 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x7645550b", "parentcaller": "0x7652844f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f0" } ], "repeated": 0, "id": 11378 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11379 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11380 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11381 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 11382 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 11383 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11384 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11385 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xee$\\xee\\x18\\xee\\xf2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\xf0\\xec\\x04\\xbc^\\xb8u\\xf2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11386 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32" } ], "repeated": 0, "id": 11387 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76455761", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" } ], "repeated": 0, "id": 11388 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000422" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11389 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000422" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11390 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x08\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x94\\xf5D\\xf58\\xf5\"\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xe0\\xf7\\xec\\x04\\xbc^\\xb8u\"\\x04\\x00\\x00" } ], "repeated": 0, "id": 11391 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 11392 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000422" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\" } ], "repeated": 0, "id": 11393 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76469f12", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" } ], "repeated": 0, "id": 11394 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000426" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11395 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000426" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11396 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xf5<\\xf50\\xf5&\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xd8\\xf7\\xec\\x04\\xbc^\\xb8u&\\x04\\x00\\x00" } ], "repeated": 0, "id": 11397 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 11398 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000426" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\" } ], "repeated": 0, "id": 11399 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000426" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11400 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000426" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11401 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf5d\\xf5X\\xf5&\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf8\\xec\\x04\\xbc^\\xb8u&\\x04\\x00\\x00" } ], "repeated": 0, "id": 11402 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 11403 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11404 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11405 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11406 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" } ], "repeated": 0, "id": 11407 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" } ], "repeated": 0, "id": 11408 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11409 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11410 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf5\\xe4\\xf4\\xd8\\xf4\\xf6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x80\\xf7\\xec\\x04\\xbc^\\xb8u\\xf6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11411 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}" } ], "repeated": 0, "id": 11412 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f6" } ], "repeated": 0, "id": 11413 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11414 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11415 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf3\\x04\\xf3\\xf8\\xf2\\xf2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf5\\xec\\x04\\xbc^\\xb8u\\xf2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11416 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 11417 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11418 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11419 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf3\\x04\\xf3\\xf8\\xf2\\xf2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf5\\xec\\x04\\xbc^\\xb8u\\xf2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11420 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 11421 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000422" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11422 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000422" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11423 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf2L\\xf2@\\xf2\"\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xe8\\xf4\\xec\\x04\\xbc^\\xb8u\"\\x04\\x00\\x00" } ], "repeated": 0, "id": 11424 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 11425 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000422" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\" } ], "repeated": 0, "id": 11426 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x7674c908", "parentcaller": "0x76448606", "category": "registry", "api": "NtQueryKey", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "KeyHandle", "value": "0x000006f6" }, { "name": "KeyInformation", "value": "" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11427 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x7674c938", "parentcaller": "0x76448606", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11428 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764a16ea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f6" } ], "repeated": 0, "id": 11429 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11430 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11431 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\\\xf3\\x0c\\xf3\\x00\\xf3\\xf2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xa8\\xf5\\xec\\x04\\xbc^\\xb8u\\xf2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11432 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\Shell" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\Shell" } ], "repeated": 0, "id": 11433 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000006f2" }, { "name": "ObjectAttributesName", "value": "Shell" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\Shell" } ], "repeated": 0, "id": 11434 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11435 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11436 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x84\\xef4\\xef(\\xef\\xf6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd0\\xf1\\xec\\x04\\xbc^\\xb8u\\xf6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11437 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell" } ], "repeated": 0, "id": 11438 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000422" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11439 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000422" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11440 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xec\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xed\\xb4\\xec\\xa8\\xec\"\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00P\\xef\\xec\\x04\\xbc^\\xb8u\"\\x04\\x00\\x00" } ], "repeated": 0, "id": 11441 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\open" } ], "repeated": 0, "id": 11442 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000422" }, { "name": "ObjectAttributesName", "value": "shell\\open" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\open" } ], "repeated": 0, "id": 11443 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b81962", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11444 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11445 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xef\\x04\\xef\\xf8\\xee\\xf6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf1\\xec\\x04\\xbc^\\xb8u\\xf6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11446 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell" } ], "repeated": 0, "id": 11447 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b823a7", "parentcaller": "0x75b82302", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f6" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11448 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000422" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11449 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000422" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11450 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xef<\\xef0\\xef\"\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xd8\\xf1\\xec\\x04\\xbc^\\xb8u\"\\x04\\x00\\x00" } ], "repeated": 0, "id": 11451 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11452 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000674" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000422" }, { "name": "ObjectAttributesName", "value": "shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11453 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11454 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11455 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf2\\xe4\\xf1\\xd8\\xf1v\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x80\\xf4\\xec\\x04\\xbc^\\xb8uv\\x06\\x00\\x00" } ], "repeated": 0, "id": 11456 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11457 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000676" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl\\" } ], "repeated": 0, "id": 11458 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11459 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11460 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf1\\x14\\xf1\\x08\\xf1\\xf2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xb0\\xf3\\xec\\x04\\xbc^\\xb8u\\xf2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11461 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 11462 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000006f2" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\" } ], "repeated": 0, "id": 11463 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11464 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11465 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf1L\\xf1@\\xf1v\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\xe8\\xf3\\xec\\x04\\xbc^\\xb8uv\\x06\\x00\\x00" } ], "repeated": 0, "id": 11466 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11467 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000700" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000676" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl\\" } ], "repeated": 0, "id": 11468 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11469 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11470 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xef<\\xef0\\xefv\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xf1\\xec\\x04\\xbc^\\xb8uv\\x06\\x00\\x00" } ], "repeated": 0, "id": 11471 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11472 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b823a7", "parentcaller": "0x75b82302", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f6" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11473 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000422" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11474 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000422" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11475 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xef<\\xef0\\xef\"\\x04\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xd8\\xf1\\xec\\x04\\xbc^\\xb8u\"\\x04\\x00\\x00" } ], "repeated": 0, "id": 11476 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11477 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000704" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000422" }, { "name": "ObjectAttributesName", "value": "shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11478 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000706" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11479 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000706" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11480 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x004\\xf2\\xe4\\xf1\\xd8\\xf1\\x06\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x80\\xf4\\xec\\x04\\xbc^\\xb8u\\x06\\x07\\x00\\x00" } ], "repeated": 0, "id": 11481 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11482 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000708" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000706" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter\\" } ], "repeated": 0, "id": 11483 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11484 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f2" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11485 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xf1\\x14\\xf1\\x08\\xf1\\xf2\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xb0\\xf3\\xec\\x04\\xbc^\\xb8u\\xf2\\x06\\x00\\x00" } ], "repeated": 0, "id": 11486 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects" } ], "repeated": 0, "id": 11487 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000006f2" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\" } ], "repeated": 0, "id": 11488 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000706" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11489 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000706" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11490 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xf1L\\xf1@\\xf1\\x06\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\xe8\\xf3\\xec\\x04\\xbc^\\xb8u\\x06\\x07\\x00\\x00" } ], "repeated": 0, "id": 11491 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11492 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000710" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000706" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter\\" } ], "repeated": 0, "id": 11493 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000706" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11494 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000706" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11495 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xef<\\xef0\\xef\\x06\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xf1\\xec\\x04\\xbc^\\xb8u\\x06\\x07\\x00\\x00" } ], "repeated": 0, "id": 11496 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11497 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b823a7", "parentcaller": "0x75b82302", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000006f6" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 11498 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7641d7c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f6" } ], "repeated": 0, "id": 11499 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11500 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11501 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf2\\x04\\xf2\\xf8\\xf1\n\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf4\\xec\\x04\\xbc^\\xb8u\n\\x07\\x00\\x00" } ], "repeated": 0, "id": 11502 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11503 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11504 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11505 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xf0\\xbc\\xef\\xb0\\xef\n\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xf2\\xec\\x04\\xbc^\\xb8u\n\\x07\\x00\\x00" } ], "repeated": 0, "id": 11506 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11507 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11508 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11509 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xf1\\xfc\\xf0\\xf0\\xf0\n\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xf3\\xec\\x04\\xbc^\\xb8u\n\\x07\\x00\\x00" } ], "repeated": 0, "id": 11510 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11511 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11512 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11513 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xf1\\xfc\\xf0\\xf0\\xf0\n\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xf3\\xec\\x04\\xbc^\\xb8u\n\\x07\\x00\\x00" } ], "repeated": 0, "id": 11514 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11515 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11516 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11517 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xf2\\x04\\xf2\\xf8\\xf1\\xfa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa0\\xf4\\xec\\x04\\xbc^\\xb8u\\xfa\\x06\\x00\\x00" } ], "repeated": 0, "id": 11518 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11519 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11520 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11521 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xf0\\xbc\\xef\\xb0\\xef\\xfa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xf2\\xec\\x04\\xbc^\\xb8u\\xfa\\x06\\x00\\x00" } ], "repeated": 0, "id": 11522 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11523 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11524 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11525 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xf1\\xfc\\xf0\\xf0\\xf0\\xfa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xf3\\xec\\x04\\xbc^\\xb8u\\xfa\\x06\\x00\\x00" } ], "repeated": 0, "id": 11526 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11527 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11528 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11529 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xf1\\xfc\\xf0\\xf0\\xf0\\xfa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x98\\xf3\\xec\\x04\\xbc^\\xb8u\\xfa\\x06\\x00\\x00" } ], "repeated": 0, "id": 11530 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11531 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11532 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11533 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xfa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xfa\\x06\\x00\\x00" } ], "repeated": 0, "id": 11534 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11535 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11536 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11537 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xfa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xfa\\x06\\x00\\x00" } ], "repeated": 0, "id": 11538 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11539 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11540 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11541 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xf1\\x9c\\xf1\\x90\\xf1\\xfa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xf4\\xec\\x04\\xbc^\\xb8u\\xfa\\x06\\x00\\x00" } ], "repeated": 0, "id": 11542 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11543 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11544 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11545 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf2\\xb4\\xf1\\xa8\\xf1\\xfa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf4\\xec\\x04\\xbc^\\xb8u\\xfa\\x06\\x00\\x00" } ], "repeated": 0, "id": 11546 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11547 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000702" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11548 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000702" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11549 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\x02\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\x02\\x07\\x00\\x00" } ], "repeated": 0, "id": 11550 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11551 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000702" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11552 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000702" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11553 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\x02\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\x02\\x07\\x00\\x00" } ], "repeated": 0, "id": 11554 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11555 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11556 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11557 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xe6<\\xe60\\xe6v\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xe8\\xec\\x04\\xbc^\\xb8uv\\x06\\x00\\x00" } ], "repeated": 0, "id": 11558 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11559 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11560 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11561 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xe9\\x14\\xe9\\x08\\xe9v\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xeb\\xec\\x04\\xbc^\\xb8uv\\x06\\x00\\x00" } ], "repeated": 0, "id": 11562 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11563 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11564 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11565 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xfa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xfa\\x06\\x00\\x00" } ], "repeated": 0, "id": 11566 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11567 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11568 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11569 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xfa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xfa\\x06\\x00\\x00" } ], "repeated": 0, "id": 11570 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11571 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11572 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11573 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xfa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xfa\\x06\\x00\\x00" } ], "repeated": 0, "id": 11574 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11575 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11576 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006fa" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11577 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\\xfa\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\\xfa\\x06\\x00\\x00" } ], "repeated": 0, "id": 11578 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl" } ], "repeated": 0, "id": 11579 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11580 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11581 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\n\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\n\\x07\\x00\\x00" } ], "repeated": 0, "id": 11582 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11583 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11584 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11585 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\n\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\n\\x07\\x00\\x00" } ], "repeated": 0, "id": 11586 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11587 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11588 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11589 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xf1\\x9c\\xf1\\x90\\xf1\n\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xf4\\xec\\x04\\xbc^\\xb8u\n\\x07\\x00\\x00" } ], "repeated": 0, "id": 11590 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11591 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11592 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11593 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf2\\xb4\\xf1\\xa8\\xf1\n\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf4\\xec\\x04\\xbc^\\xb8u\n\\x07\\x00\\x00" } ], "repeated": 0, "id": 11594 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11595 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000712" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11596 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000712" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11597 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\x12\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\x12\\x07\\x00\\x00" } ], "repeated": 0, "id": 11598 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11599 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000712" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11600 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000712" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11601 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf3\\xb4\\xf2\\xa8\\xf2\\x12\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf5\\xec\\x04\\xbc^\\xb8u\\x12\\x07\\x00\\x00" } ], "repeated": 0, "id": 11602 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11603 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000706" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11604 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000706" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11605 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe6\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xe6<\\xe60\\xe6\\x06\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xe8\\xec\\x04\\xbc^\\xb8u\\x06\\x07\\x00\\x00" } ], "repeated": 0, "id": 11606 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11607 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000706" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11608 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000706" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11609 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xe8\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xe9\\x14\\xe9\\x08\\xe9\\x06\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xeb\\xec\\x04\\xbc^\\xb8u\\x06\\x07\\x00\\x00" } ], "repeated": 0, "id": 11610 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11611 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11612 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11613 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\n\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\n\\x07\\x00\\x00" } ], "repeated": 0, "id": 11614 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11615 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11616 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11617 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\n\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\n\\x07\\x00\\x00" } ], "repeated": 0, "id": 11618 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11619 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11620 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11621 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\n\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\n\\x07\\x00\\x00" } ], "repeated": 0, "id": 11622 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11623 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11624 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000070a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11625 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xf2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xf2d\\xf2X\\xf2\n\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xf5\\xec\\x04\\xbc^\\xb8u\n\\x07\\x00\\x00" } ], "repeated": 0, "id": 11626 }, { "timestamp": "2026-06-29 22:15:05,750", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter" } ], "repeated": 0, "id": 11627 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11628 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11629 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "x\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x04\\xf1\\xb4\\xf0\\xa8\\xf0\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02P\\xf3\\xec\\x04\\xbc^\\xb8u\\xa6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11630 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 11631 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11632 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11633 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8\\xef\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x84\\xf04\\xf0(\\xf0\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd0\\xf2\\xec\\x04\\xbc^\\xb8u\\xa6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11634 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 11635 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11636 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11637 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xf1\\xec\\xf0\\xe0\\xf0\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x88\\xf3\\xec\\x04\\xbc^\\xb8u\\xa6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11638 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 11639 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11640 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a6" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11641 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xfc\\xf0\\xac\\xf0\\xa0\\xf0\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02H\\xf3\\xec\\x04\\xbc^\\xb8u\\xa6\\x06\\x00\\x00" } ], "repeated": 0, "id": 11642 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 11643 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11644 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11645 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xe7\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xe7L\\xe7@\\xe7\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xe9\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 11646 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 11647 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11648 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11649 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xe7\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xe7L\\xe7@\\xe7\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xe9\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 11650 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 11651 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11652 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11653 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xe7\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xe7L\\xe7@\\xe7\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xe9\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 11654 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 11655 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11656 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11657 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x08\\xe7\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x94\\xe7D\\xe78\\xe7\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe0\\xe9\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 11658 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 11659 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e750b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000714" } ], "repeated": 0, "id": 11660 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e750b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 11661 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e750b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000714" } ], "repeated": 0, "id": 11662 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11663 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11664 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11665 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{1649D1CF-DEAF-4A68-ABE8-5C9F68572FD1}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1649D1CF-DEAF-4A68-ABE8-5C9F68572FD1}\\InProcServer32" } ], "repeated": 0, "id": 11666 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000714" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{1649D1CF-DEAF-4A68-ABE8-5C9F68572FD1}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1649D1CF-DEAF-4A68-ABE8-5C9F68572FD1}\\InProcServer32" } ], "repeated": 0, "id": 11667 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000716" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1649d1cf-deaf-4a68-abe8-5c9f68572fd1}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11668 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000716" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11669 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xe5\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xe5d\\xe5X\\xe5\\x16\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xe8\\xec\\x04\\xbc^\\xb8u\\x16\\x07\\x00\\x00" } ], "repeated": 0, "id": 11670 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{1649d1cf-deaf-4a68-abe8-5c9f68572fd1}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1649d1cf-deaf-4a68-abe8-5c9f68572fd1}\\InProcServer32" } ], "repeated": 0, "id": 11671 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000716" } ], "repeated": 0, "id": 11672 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11673 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11674 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xf1\\xdc\\xf0\\xd0\\xf0\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00x\\xf3\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 11675 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 11676 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000714" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000069a" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\" } ], "repeated": 0, "id": 11677 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000716" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11678 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000716" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11679 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xf1\\xc4\\xf0\\xb8\\xf0\\x16\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00`\\xf3\\xec\\x04\\xbc^\\xb8u\\x16\\x07\\x00\\x00" } ], "repeated": 0, "id": 11680 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 11681 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000718" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000716" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\" } ], "repeated": 0, "id": 11682 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7483fece", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000716" } ], "repeated": 0, "id": 11683 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11684 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11685 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11686 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11687 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11688 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000071c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 11689 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8275", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000071c" } ], "repeated": 0, "id": 11690 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11691 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000071c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 11692 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8334", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000071c" } ], "repeated": 0, "id": 11693 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "edputil.dll" } ], "repeated": 0, "id": 11694 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\edputil.dll" } ], "repeated": 0, "id": 11695 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\edputil.dll" } ], "repeated": 0, "id": 11696 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e32b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000071c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\edputil.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 11697 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e32b", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000720" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000071c" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\edputil.dll" } ], "repeated": 0, "id": 11698 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000720" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73110000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0001b000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11699 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f4ffdf", "parentcaller": "0x76f50764", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73128000" }, { "name": "ModuleName", "value": "edputil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11700 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11701 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11702 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73126000" }, { "name": "ModuleName", "value": "edputil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11703 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000720" } ], "repeated": 0, "id": 11704 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000071c" } ], "repeated": 0, "id": 11705 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73126000" }, { "name": "ModuleName", "value": "edputil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11706 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11707 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 11708 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11709 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\edputil.dll" } ], "repeated": 0, "id": 11710 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000071c" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\edputil.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 11711 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000071c" } ], "repeated": 0, "id": 11712 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\edputil" }, { "name": "DllBase", "value": "0x73110000" } ], "repeated": 0, "id": 11713 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f4dd42", "parentcaller": "0x76f51843", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\edputil" }, { "name": "BaseAddress", "value": "0x73110000" }, { "name": "InitRoutine", "value": "0x731147c0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 11714 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11715 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11716 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x7486e63a", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000071c" } ], "repeated": 0, "id": 11717 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x7486e5a8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xc2p\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11718 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7486e5c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000071c" } ], "repeated": 0, "id": 11719 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11720 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000071c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 11721 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8275", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000071c" } ], "repeated": 0, "id": 11722 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11723 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000071c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 11724 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8334", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000071c" } ], "repeated": 0, "id": 11725 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x747c69db", "parentcaller": "0x747c62a0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 11726 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11727 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000071c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 11728 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000071c" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 11729 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000071c" } ], "repeated": 0, "id": 11730 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11731 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000071c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 11732 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000071c" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 11733 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748129da", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000071c" } ], "repeated": 0, "id": 11734 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11735 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11736 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xe4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xe4\\x9c\\xe4\\x90\\xe4\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x028\\xe7\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 11737 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 11738 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11739 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11740 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xed\\\\xedP\\xed\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xf8\\xef\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 11741 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\Application" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Application" } ], "repeated": 0, "id": 11742 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003ea" }, { "name": "ObjectAttributesName", "value": "Application" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Application" } ], "repeated": 0, "id": 11743 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "urlmon.dll" } ], "repeated": 0, "id": 11744 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\urlmon.dll" } ], "repeated": 0, "id": 11745 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\urlmon.dll" } ], "repeated": 0, "id": 11746 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e32b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000071c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\urlmon.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 11747 }, { "timestamp": "2026-06-29 22:15:05,765", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e32b", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000720" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000071c" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\urlmon.dll" } ], "repeated": 0, "id": 11748 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000720" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x72f60000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x001a8000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11749 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f4ffdf", "parentcaller": "0x76f50764", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x730a3000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11750 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11751 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11752 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7309f000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11753 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000720" } ], "repeated": 0, "id": 11754 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000071c" } ], "repeated": 0, "id": 11755 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7309f000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11756 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f50eba", "parentcaller": "0x76f50d02", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa9\\xe7\\xf2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9d\\xbd<\\xc3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xce-\\x0e\\x0b\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\x01\\x1a\\x18\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1f\\x1f\\x1f\\x1f\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1f\\x1f\\x1f\\x1f" } ], "repeated": 0, "id": 11757 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11758 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 11759 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11760 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\urlmon.dll" } ], "repeated": 0, "id": 11761 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000071c" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\urlmon.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 11762 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000071c" } ], "repeated": 0, "id": 11763 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\urlmon" }, { "name": "DllBase", "value": "0x72f60000" } ], "repeated": 0, "id": 11764 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8f11f", "parentcaller": "0x72f8684d", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 11765 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x730a3000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11766 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x730a3000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11767 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\urlmon" }, { "name": "BaseAddress", "value": "0x72f60000" }, { "name": "InitRoutine", "value": "0x72fe3170" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 11768 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11769 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11770 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11771 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000728" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } ], "repeated": 0, "id": 11772 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11773 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000072c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } ], "repeated": 0, "id": 11774 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11775 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000730" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } ], "repeated": 0, "id": 11776 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11777 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000734" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } ], "repeated": 0, "id": 11778 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11779 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000738" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } ], "repeated": 0, "id": 11780 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000738" } ], "repeated": 0, "id": 11781 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11782 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl" } ], "repeated": 0, "id": 11783 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11784 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl" } ], "repeated": 0, "id": 11785 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11786 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000738" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl" } ], "repeated": 0, "id": 11787 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11788 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl" } ], "repeated": 0, "id": 11789 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000738" }, { "name": "ObjectAttributesName", "value": "FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562" } ], "repeated": 0, "id": 11790 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000738" }, { "name": "ObjectAttributesName", "value": "FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION" } ], "repeated": 0, "id": 11791 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0070d000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11792 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000738" }, { "name": "ObjectAttributesName", "value": "FEATURE_URI_DISABLECACHE" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_URI_DISABLECACHE" } ], "repeated": 0, "id": 11793 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73adb000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11794 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73adb000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11795 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 11796 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11797 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb8\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00D\\xef\\xf4\\xee\\xe8\\xee\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x90\\xf1\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 11798 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 11799 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76214cca", "parentcaller": "0x76214c64", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "79EAC9EE-BAF9-11CE-8C82-00AA004BA90B" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 11800 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000738" }, { "name": "ObjectAttributesName", "value": "FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610" } ], "repeated": 0, "id": 11801 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b9db61", "parentcaller": "0x73a80656", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "msiso.dll" }, { "name": "ModuleHandle", "value": "0x73a80763" } ], "repeated": 0, "id": 11802 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000754" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000738" }, { "name": "ObjectAttributesName", "value": "FEATURE_LOCALMACHINE_LOCKDOWN" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN" } ], "repeated": 0, "id": 11803 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x73a76ed4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 11804 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11805 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000754" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Internet Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer" } ], "repeated": 0, "id": 11806 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000754" }, { "name": "KeyInformation", "value": "s\\xff820 }\\x07\\xffdd\\x01\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 11807 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x73a7a6ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 11808 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000073c" }, { "name": "ObjectAttributesName", "value": "Microsoft\\Internet Explorer\\Security" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Security" } ], "repeated": 0, "id": 11809 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11810 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Internet Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer" } ], "repeated": 0, "id": 11811 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000754" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000744" }, { "name": "ObjectAttributesName", "value": "Microsoft\\Internet Explorer\\Security" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Security" } ], "repeated": 0, "id": 11812 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x73a7a374", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 11813 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000754" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000748" }, { "name": "ObjectAttributesName", "value": "Microsoft\\Internet Explorer\\Security" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Security" } ], "repeated": 0, "id": 11814 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x73a7a374", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 11815 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x730a3000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11816 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x730a3000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11817 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x742f8b03", "parentcaller": "0x742fdc25", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 11818 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8f828", "parentcaller": "0x75b8f48e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x40000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000754" }, { "name": "DesiredAccess", "value": "0x000f0007", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_WRITE" }, { "name": "ObjectAttributes", "value": "Local\\UrlZonesSM_Rajesh" }, { "name": "FileHandle", "value": "0x00000000" }, { "name": "FileName", "value": "" } ], "repeated": 0, "id": 11819 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b9da9b", "parentcaller": "0x72f8751f", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000754" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05750000" }, { "name": "SectionOffset", "value": "0x04eceef0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11820 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11821 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "System\\Setup" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\Setup" } ], "repeated": 0, "id": 11822 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x72f91694", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 11823 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11824 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\" } ], "repeated": 0, "id": 11825 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000075c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000758" }, { "name": "ObjectAttributesName", "value": "0" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" } ], "repeated": 0, "id": 11826 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x72f915f0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075c" } ], "repeated": 0, "id": 11827 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000075c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000758" }, { "name": "ObjectAttributesName", "value": "1" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1" } ], "repeated": 0, "id": 11828 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x72f915f0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075c" } ], "repeated": 0, "id": 11829 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000075c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000758" }, { "name": "ObjectAttributesName", "value": "2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2" } ], "repeated": 0, "id": 11830 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x72f915f0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075c" } ], "repeated": 0, "id": 11831 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000075c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000758" }, { "name": "ObjectAttributesName", "value": "3" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3" } ], "repeated": 0, "id": 11832 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x72f915f0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075c" } ], "repeated": 0, "id": 11833 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000075c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000758" }, { "name": "ObjectAttributesName", "value": "4" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4" } ], "repeated": 0, "id": 11834 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x72f915f0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075c" } ], "repeated": 0, "id": 11835 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x72f915ff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 11836 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11837 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\" } ], "repeated": 0, "id": 11838 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11839 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\" } ], "repeated": 0, "id": 11840 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11841 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\" } ], "repeated": 0, "id": 11842 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11843 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\" } ], "repeated": 0, "id": 11844 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11845 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\" } ], "repeated": 0, "id": 11846 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11847 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\" } ], "repeated": 0, "id": 11848 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11849 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8fb07", "parentcaller": "0x75b8fa24", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x0000075c" }, { "name": "MutexName", "value": "Local\\ZonesCacheCounterMutex" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 11850 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11851 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000760" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" } ], "repeated": 0, "id": 11852 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11853 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" } ], "repeated": 0, "id": 11854 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11855 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" } ], "repeated": 0, "id": 11856 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11857 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" } ], "repeated": 0, "id": 11858 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11859 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" } ], "repeated": 0, "id": 11860 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 11861 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" } ], "repeated": 0, "id": 11862 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11863 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11864 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000760" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1" } ], "repeated": 0, "id": 11865 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11866 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1" } ], "repeated": 0, "id": 11867 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11868 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1" } ], "repeated": 0, "id": 11869 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11870 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1" } ], "repeated": 0, "id": 11871 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11872 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1" } ], "repeated": 0, "id": 11873 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11874 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\" } ], "repeated": 0, "id": 11875 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b86ba5", "parentcaller": "0x75b8341e", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "ValueName", "value": "ProxyBypass" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Buffer", "value": "1" }, { "name": "BufferLength", "value": "4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass" } ], "repeated": 0, "id": 11876 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b86ba5", "parentcaller": "0x75b8341e", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "ValueName", "value": "IntranetName" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Buffer", "value": "1" }, { "name": "BufferLength", "value": "4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName" } ], "repeated": 0, "id": 11877 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b86ba5", "parentcaller": "0x75b8341e", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "ValueName", "value": "UNCAsIntranet" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Buffer", "value": "1" }, { "name": "BufferLength", "value": "4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet" } ], "repeated": 0, "id": 11878 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b86ba5", "parentcaller": "0x75b8341e", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "ValueName", "value": "AutoDetect" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Buffer", "value": "0" }, { "name": "BufferLength", "value": "4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect" } ], "repeated": 0, "id": 11879 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 11880 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 11881 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" } ], "repeated": 0, "id": 11882 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 11883 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11884 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000760" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2" } ], "repeated": 0, "id": 11885 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11886 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2" } ], "repeated": 0, "id": 11887 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11888 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2" } ], "repeated": 0, "id": 11889 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11890 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2" } ], "repeated": 0, "id": 11891 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11892 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2" } ], "repeated": 0, "id": 11893 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 11894 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" } ], "repeated": 0, "id": 11895 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 11896 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11897 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000760" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3" } ], "repeated": 0, "id": 11898 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11899 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3" } ], "repeated": 0, "id": 11900 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11901 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3" } ], "repeated": 0, "id": 11902 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11903 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3" } ], "repeated": 0, "id": 11904 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11905 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3" } ], "repeated": 0, "id": 11906 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 11907 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" } ], "repeated": 0, "id": 11908 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "Index", "value": "4" } ], "repeated": 0, "id": 11909 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11910 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000760" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4" } ], "repeated": 0, "id": 11911 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11912 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4" } ], "repeated": 0, "id": 11913 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11914 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4" } ], "repeated": 0, "id": 11915 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11916 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4" } ], "repeated": 0, "id": 11917 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11918 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4" } ], "repeated": 0, "id": 11919 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 11920 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" } ], "repeated": 0, "id": 11921 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "Index", "value": "5" } ], "repeated": 0, "id": 11922 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 11923 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11924 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\" } ], "repeated": 0, "id": 11925 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11926 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\" } ], "repeated": 0, "id": 11927 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11928 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\" } ], "repeated": 0, "id": 11929 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11930 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\" } ], "repeated": 0, "id": 11931 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11932 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\" } ], "repeated": 0, "id": 11933 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11934 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\" } ], "repeated": 0, "id": 11935 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11936 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8fb07", "parentcaller": "0x75b8fa24", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000760" }, { "name": "MutexName", "value": "Local\\ZonesLockedCacheCounterMutex" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 11937 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11938 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0" } ], "repeated": 0, "id": 11939 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11940 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0" } ], "repeated": 0, "id": 11941 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11942 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0" } ], "repeated": 0, "id": 11943 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11944 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0" } ], "repeated": 0, "id": 11945 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11946 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" } ], "repeated": 0, "id": 11947 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 11948 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 11949 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11950 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11951 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1" } ], "repeated": 0, "id": 11952 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11953 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1" } ], "repeated": 0, "id": 11954 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11955 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1" } ], "repeated": 0, "id": 11956 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11957 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1" } ], "repeated": 0, "id": 11958 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11959 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1" } ], "repeated": 0, "id": 11960 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11961 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\" } ], "repeated": 0, "id": 11962 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b86ba5", "parentcaller": "0x75b8341e", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076c" }, { "name": "ValueName", "value": "ProxyBypass" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Buffer", "value": "1" }, { "name": "BufferLength", "value": "4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass" } ], "repeated": 0, "id": 11963 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b86ba5", "parentcaller": "0x75b8341e", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076c" }, { "name": "ValueName", "value": "IntranetName" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Buffer", "value": "1" }, { "name": "BufferLength", "value": "4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName" } ], "repeated": 0, "id": 11964 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b86ba5", "parentcaller": "0x75b8341e", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076c" }, { "name": "ValueName", "value": "UNCAsIntranet" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Buffer", "value": "1" }, { "name": "BufferLength", "value": "4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet" } ], "repeated": 0, "id": 11965 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b86ba5", "parentcaller": "0x75b8341e", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076c" }, { "name": "ValueName", "value": "AutoDetect" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Buffer", "value": "0" }, { "name": "BufferLength", "value": "4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect" } ], "repeated": 0, "id": 11966 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076c" } ], "repeated": 0, "id": 11967 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 11968 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 11969 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 11970 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11971 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2" } ], "repeated": 0, "id": 11972 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11973 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2" } ], "repeated": 0, "id": 11974 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11975 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2" } ], "repeated": 0, "id": 11976 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11977 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2" } ], "repeated": 0, "id": 11978 }, { "timestamp": "2026-06-29 22:15:05,781", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11979 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2" } ], "repeated": 0, "id": 11980 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 11981 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 11982 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 11983 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11984 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3" } ], "repeated": 0, "id": 11985 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11986 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3" } ], "repeated": 0, "id": 11987 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11988 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3" } ], "repeated": 0, "id": 11989 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11990 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3" } ], "repeated": 0, "id": 11991 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11992 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3" } ], "repeated": 0, "id": 11993 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 11994 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 11995 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "Index", "value": "4" } ], "repeated": 0, "id": 11996 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11997 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4" } ], "repeated": 0, "id": 11998 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 11999 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4" } ], "repeated": 0, "id": 12000 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12001 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4" } ], "repeated": 0, "id": 12002 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12003 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4" } ], "repeated": 0, "id": 12004 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12005 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4" } ], "repeated": 0, "id": 12006 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 12007 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12008 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b847eb", "parentcaller": "0x75b846c0", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "Index", "value": "5" } ], "repeated": 0, "id": 12009 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 12010 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f3002d", "parentcaller": "0x75b94e1d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 12011 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000738" }, { "name": "ObjectAttributesName", "value": "FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000" } ], "repeated": 0, "id": 12012 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x730a3000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12013 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x730a3000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12014 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000758" } ], "repeated": 0, "id": 12015 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12016 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "8\\xdf\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12017 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 12018 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000764" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 12019 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12020 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "<\\xdd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff\\xbc\\xdd\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0st\\xe0\\xdd\\xec\\x04\\xdc\\xdd\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 12021 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 12022 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000764" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 12023 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12024 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 12025 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 12026 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x747bb6a0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\INetCache" } ], "repeated": 0, "id": 12027 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c3dc4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12028 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x747c01d7", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000768" } ], "repeated": 0, "id": 12029 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x747c021e", "parentcaller": "0x747c3baa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12030 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x747c02da", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "8\\xdf\\xec\\x04`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12031 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000364" }, { "name": "ObjectAttributesName", "value": "SessionInfo\\2" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2" } ], "repeated": 0, "id": 12032 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000758" }, { "name": "ObjectAttributesName", "value": "KnownFolders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders" } ], "repeated": 0, "id": 12033 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7484bb07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 12034 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "<\\xdd\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff\\xbc\\xdd\\xec\\x04\\x07\\xbb\\x84t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xbb\\x84t|\\xd0st\\xe0\\xdd\\xec\\x04\\xdc\\xdd\\xec\\x04\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 12035 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75baa0e7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 12036 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000758" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 12037 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7487f6eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 12038 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x747c0a47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 12039 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747c0b40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12040 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x747bb6a0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\INetCookies" } ], "repeated": 0, "id": 12041 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x74884771", "parentcaller": "0x747c3dc4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12042 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b91571", "parentcaller": "0x75ba4088", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 12043 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x75ba4097", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12044 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75ba421d", "parentcaller": "0x72f90f92", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006f06e0", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 12045 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75ba4678", "parentcaller": "0x75ba4235", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12046 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75ba421d", "parentcaller": "0x72f90f92", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006f0460", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 12047 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75ba4678", "parentcaller": "0x75ba4235", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12048 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75ba421d", "parentcaller": "0x72f90f92", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006f03a0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 12049 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75ba4678", "parentcaller": "0x75ba4235", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12050 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75ba421d", "parentcaller": "0x72f90f92", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006f0720", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 12051 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75ba4678", "parentcaller": "0x75ba4235", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12052 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75ba421d", "parentcaller": "0x72f90f92", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006f0ae0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 12053 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75ba4678", "parentcaller": "0x75ba4235", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12054 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b91571", "parentcaller": "0x75ba40b3", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12055 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x72f8ff53", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12056 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x72f8ff53", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" } ], "repeated": 0, "id": 12057 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x72f8ff53", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 12058 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x72f8ff53", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 12059 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x72f8ff53", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 12060 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x72f8ff53", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 12061 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b78e93", "parentcaller": "0x75b78e42", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12062 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b78e6e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00120080", "pretty_value": "FILE_READ_ATTRIBUTES|READ_CONTROL|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12063 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x73a84173", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12064 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x730a3000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12065 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x730a3000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12066 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b91571", "parentcaller": "0x76212413", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12067 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x76212420", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12068 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b91571", "parentcaller": "0x7621243a", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12069 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x730a3000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12070 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x730a3000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12071 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b91571", "parentcaller": "0x76212413", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12072 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x76212420", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12073 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b91571", "parentcaller": "0x7621243a", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 12074 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b92da9", "parentcaller": "0x76212420", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe:Zone.Identifier" } ], "repeated": 0, "id": 12075 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b91571", "parentcaller": "0x7621243a", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12076 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x730a3000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12077 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x730a3000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12078 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b9db61", "parentcaller": "0x73a80656", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "msiso.dll" }, { "name": "ModuleHandle", "value": "0x73a80763" } ], "repeated": 0, "id": 12079 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000738" }, { "name": "ObjectAttributesName", "value": "FEATURE_PROTOCOL_LOCKDOWN" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_PROTOCOL_LOCKDOWN" } ], "repeated": 0, "id": 12080 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x73a76ed4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12081 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12082 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" } ], "repeated": 0, "id": 12083 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12084 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" } ], "repeated": 0, "id": 12085 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82abb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12086 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b82aeb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 12087 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12088 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12089 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\\\xee\\x0c\\xee\\x00\\xee\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xa8\\xf0\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 12090 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 12091 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000069a" }, { "name": "ObjectAttributesName", "value": "command" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 12092 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\command" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12093 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12094 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xed\\x94\\xed\\x88\\xedj\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x020\\xf0\\xec\\x04\\xbc^\\xb8uj\\x07\\x00\\x00" } ], "repeated": 0, "id": 12095 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 12096 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076a" } ], "repeated": 0, "id": 12097 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12098 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12099 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xed\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xee\\x04\\xee\\xf8\\xed\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xa0\\xf0\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 12100 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas\\DropTarget" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\DropTarget" } ], "repeated": 0, "id": 12101 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000069a" }, { "name": "ObjectAttributesName", "value": "DropTarget" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\DropTarget" } ], "repeated": 0, "id": 12102 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12103 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 12104 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 12105 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748129da", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 12106 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76872000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12107 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76872000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12108 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x7568db55", "parentcaller": "0x7568b5be", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers" } ], "repeated": 0, "id": 12109 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x7568b613", "parentcaller": "0x7568b530", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 12110 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12111 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12112 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "8\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xc4\\xeat\\xeah\\xea\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\xed\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 12113 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 12114 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000069a" }, { "name": "ObjectAttributesName", "value": "command" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 12115 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\command" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12116 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12117 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xeaL\\xea@\\xeaj\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xec\\xec\\x04\\xbc^\\xb8uj\\x07\\x00\\x00" } ], "repeated": 0, "id": 12118 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 12119 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7561ec39", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076a" } ], "repeated": 0, "id": 12120 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12121 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12122 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8\\xe3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x84\\xe44\\xe4(\\xe4\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xe6\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 12123 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 12124 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000069a" }, { "name": "ObjectAttributesName", "value": "command" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 12125 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\command" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12126 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12127 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xe3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xe4\\xbc\\xe3\\xb0\\xe3j\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xe6\\xec\\x04\\xbc^\\xb8uj\\x07\\x00\\x00" } ], "repeated": 0, "id": 12128 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 12129 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f7b27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076a" } ], "repeated": 0, "id": 12130 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12131 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12132 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8\\xe3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x84\\xe44\\xe4(\\xe4\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xe6\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 12133 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 12134 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000069a" }, { "name": "ObjectAttributesName", "value": "command" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 12135 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\command" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12136 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12137 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xe3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x0c\\xe4\\xbc\\xe3\\xb0\\xe3j\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02X\\xe6\\xec\\x04\\xbc^\\xb8uj\\x07\\x00\\x00" } ], "repeated": 0, "id": 12138 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 12139 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f7b27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076a" } ], "repeated": 0, "id": 12140 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x764308bd", "parentcaller": "0x7642ce43", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CDC82860-468D-4D4E-B7E7-C298FF23AB2C" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "5632B1A4-E38A-400A-928A-D4CD63230295" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 12141 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12142 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000720" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 12143 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000720" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 12144 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x764a16ea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000720" } ], "repeated": 0, "id": 12145 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12146 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000720" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 12147 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000720" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 12148 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748129da", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000720" } ], "repeated": 0, "id": 12149 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12150 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000720" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 12151 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000720" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 12152 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748129da", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000720" } ], "repeated": 0, "id": 12153 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x7481708d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000720" } ], "repeated": 0, "id": 12154 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x7481715c", "parentcaller": "0x748170b0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 12155 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x748170ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000720" } ], "repeated": 0, "id": 12156 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12157 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12158 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12159 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": ".exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 12160 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000720" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 12161 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000722" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\.exe" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12162 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000722" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12163 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xdc\\xea\\x8c\\xea\\x80\\xea\"\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02(\\xed\\xec\\x04\\xbc^\\xb8u\"\\x07\\x00\\x00" } ], "repeated": 0, "id": 12164 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\.exe" } ], "repeated": 0, "id": 12165 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12166 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12167 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12168 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 12169 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 12170 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12171 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12172 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xea\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\\\xeb\\x0c\\xeb\\x00\\xebj\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xa8\\xed\\xec\\x04\\xbc^\\xb8uj\\x07\\x00\\x00" } ], "repeated": 0, "id": 12173 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\CurVer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\CurVer" } ], "repeated": 0, "id": 12174 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000076a" }, { "name": "ObjectAttributesName", "value": "CurVer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\CurVer" } ], "repeated": 0, "id": 12175 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12176 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12177 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xeb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xeb\\x9c\\xeb\\x90\\xebj\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x008\\xee\\xec\\x04\\xbc^\\xb8uj\\x07\\x00\\x00" } ], "repeated": 0, "id": 12178 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 12179 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000076a" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\" } ], "repeated": 0, "id": 12180 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748175e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076a" } ], "repeated": 0, "id": 12181 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000766" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12182 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000766" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12183 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xe1\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xe2\\xc4\\xe1\\xb8\\xe1f\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00`\\xe4\\xec\\x04\\xbc^\\xb8uf\\x07\\x00\\x00" } ], "repeated": 0, "id": 12184 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\Progid" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Progid" } ], "repeated": 0, "id": 12185 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000766" }, { "name": "ObjectAttributesName", "value": "Progid" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Progid" } ], "repeated": 0, "id": 12186 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12187 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\ProgIDs\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\ProgIDs\\exefile" } ], "repeated": 0, "id": 12188 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000722" } ], "repeated": 0, "id": 12189 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000766" } ], "repeated": 0, "id": 12190 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12191 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 12192 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12193 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12194 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 12195 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12196 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12197 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 12198 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f4" } ], "repeated": 0, "id": 12199 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12200 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 12201 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f4" } ], "repeated": 0, "id": 12202 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12203 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 12204 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f4" } ], "repeated": 0, "id": 12205 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12206 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 12207 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f8789", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f4" } ], "repeated": 0, "id": 12208 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x748896b1", "parentcaller": "0x7488965f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006f4" } ], "repeated": 0, "id": 12209 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x7488975b", "parentcaller": "0x74889701", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 12210 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x748896d9", "parentcaller": "0x7488965f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f4" } ], "repeated": 0, "id": 12211 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12212 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\InstallFlashPlayer.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12213 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12214 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\InstallFlashPlayer.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12215 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x748896b1", "parentcaller": "0x7488965f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006f4" } ], "repeated": 0, "id": 12216 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x7488975b", "parentcaller": "0x74889701", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 12217 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x748896d9", "parentcaller": "0x7488965f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f4" } ], "repeated": 0, "id": 12218 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12219 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12220 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x08\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x94\\xeeD\\xee8\\xee\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe0\\xf0\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 12221 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 12222 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12223 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12224 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x08\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x94\\xeeD\\xee8\\xee\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe0\\xf0\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 12225 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 12226 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12227 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 12228 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000006f4" }, { "name": "ObjectAttributesName", "value": "{e1e1ae7a-0000-0000-0000-300300000000}\\" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 12229 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7482326c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f4" } ], "repeated": 0, "id": 12230 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x748232a4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12231 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x74842797", "parentcaller": "0x74842761", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 12232 }, { "timestamp": "2026-06-29 22:15:05,797", "thread_id": "168", "caller": "0x748427cf", "parentcaller": "0x74842761", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd4\\x1aq\\x00 \\x00 \\x00\\xec\\x1aq\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x1bq\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x00\\x00\\x00\\x00S\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xef\\x7f\\x1c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12233 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x7483f004", "parentcaller": "0x74840a24", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\wintypes" }, { "name": "DllBase", "value": "0x72e80000" } ], "repeated": 0, "id": 12234 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x7483f004", "parentcaller": "0x74840a24", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F1C46D71-B791-4110-8D5C-7108F22C1010" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "8A43ED9F-F4E6-4421-ACF9-1DAB2986820C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 12235 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x758817d7", "parentcaller": "0x75831999", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000004ac" }, { "name": "ObjectAttributesName", "value": "Windows.Foundation.PropertyValue" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue" } ], "repeated": 0, "id": 12236 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75881887", "parentcaller": "0x75881832", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "KeyInformation", "value": "<\\x1d\\x1c\\xffce}\\x07\\xffdd\\x01\\x00\\x00\\x00\\x00@\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00F\\x00o\\x00u\\x00n\\x00d\\x00a\\x00t\\x00i\\x00o\\x00n\\x00.\\x00P\\x00r\\x00o\\x00p\\x00e\\x00r\\x00t\\x00y\\x00V\\x00a\\x00l\\x00u\\x00e\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xffcc\\x01\\x02\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00l\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00h\\x08\\x02\\x00 \\x00\\x00\\x00\\x1c\\xffeb\\xffec\\x04\\xffde]\\xfff4v\\xffb4@n\\x00\\xffde]\\xfff4v\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff8vm\\x00\\xfff8vm\\x00\\x00\\x00@\\x02\\xffa8\\xffec\\xffec\\x04#\\x0c\\xff83u\\x02\\x00\\x00\\x00\\xff93\\x0c\\xff83uT\\x18\\xff9au`\t\\xff83u\\xffa0@n\\x00\\xfff4\\x0c\\xff83ud\\x00\\x00\\x007\\x001\\x00\\xffa0@n\\x00\\x01\\x00\\x00\\x00T\\x18\\xff9au\\x02\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\t\\xff83u\\xfff0\\xff86\\xff89u\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\xff91\\x00\\x00\\x00\\xffa0\\x03o\\x00\\x1d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x02\\x00\\xffd8Z\\x7f\\x02\\xfff8vm\\x00p\\xfff5\\x7f\\x028\\xfffb\\xff99u\\xffb4\\xffeb\\xffec\\x04\\x00-p\\x00\\x16<\\xfff4v\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x15\\x00\\x12\\x00H\\xffec\\xffec\\x04\\x04\\x03o\\x00 \\x00\\x00\\x00\\x06\\x00\\x01\\x00X\\xffec\\xffec\\x04D?n\\x00P\\xffec\\xffec\\x04\\x7fb\\xfff4vV\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\xffd0\\x07\\x02\\x00d\\x00\\x00\\x00\\xffdc\\xff82n\\x00P\\x00\\x00\\x00\\xffd0\\x07\\x02\\x00d\\x00\\x00\\x00\\xfff0\\x02o\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfffel\\x000?n\\x00\\x00\\x00\\x00\\x00\\xffa0\\x03o\\x00\\xffa0\\x03o\\x00\\x00\\x00\\x00\\x00\\xfff8vm\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xffe0\\x01\\x02\\x00\\x00\\x00\\x00\\x00D\\x00\\x00\\x00|\\x0c\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00x\\x0c\\x02\\x00\\xffde]\\xfff4vp\\xffec\\xffec\\x04\\xffde]\\xfff4v\\xffa0\\x03o\\x00\\xffde]\\xfff4v\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff8vm\\x00\\xffa0\\x03o\\x00\\xffa0@n\\x00\\xfff8vm\\x00\\xffa4\\xffec\\xffec\\x04@\\xffa0\\xff82u\\xffb8@n\\x00\\xffa0\\x03o\\x000\\xff9f\\xff82u\\xffa0\\x03o\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 12237 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000758" }, { "name": "ObjectAttributesName", "value": "CustomAttributes" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\CustomAttributes" } ], "repeated": 0, "id": 12238 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7582b908", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 12239 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x758383c5", "parentcaller": "0x75838242", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12240 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8f218", "parentcaller": "0x74842673", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3236" } ], "repeated": 0, "id": 12241 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b92644", "parentcaller": "0x74842a82", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000770" } ], "repeated": 0, "id": 12242 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x7484296b", "parentcaller": "0x74842872", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 12243 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x748429a7", "parentcaller": "0x74842872", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xcc$q\\x00 \\x00 \\x00\\xe4$q\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x08%q\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x00\\x00\\x00\\x00S\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xef\\x7f\\x1c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12244 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x74842883", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000770" } ], "repeated": 0, "id": 12245 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7484269e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076c" } ], "repeated": 0, "id": 12246 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8f218", "parentcaller": "0x74842584", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3236" } ], "repeated": 0, "id": 12247 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x748425c7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076c" } ], "repeated": 0, "id": 12248 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x758383c5", "parentcaller": "0x75838242", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12249 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12250 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12251 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe2\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00,\\xe3\\xdc\\xe2\\xd0\\xe2\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02x\\xe5\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 12252 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 12253 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12254 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12255 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xeb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xec\\xeb\\x9c\\xeb\\x90\\xeb\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x008\\xee\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 12256 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\Application" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Application" } ], "repeated": 0, "id": 12257 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003ea" }, { "name": "ObjectAttributesName", "value": "Application" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Application" } ], "repeated": 0, "id": 12258 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12259 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 12260 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076c" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 12261 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076c" } ], "repeated": 0, "id": 12262 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12263 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}" } ], "repeated": 0, "id": 12264 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12265 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12266 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12267 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 12268 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance" } ], "repeated": 0, "id": 12269 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x7486977e", "parentcaller": "0x747e76e2", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000076c" } ], "repeated": 0, "id": 12270 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x748697c8", "parentcaller": "0x747e76e2", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 12271 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x7486980e", "parentcaller": "0x747e76e2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076c" } ], "repeated": 0, "id": 12272 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12273 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12274 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12275 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 12276 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 12277 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12278 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12279 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xda\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00|\\xdb,\\xdb \\xdbn\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc8\\xdd\\xec\\x04\\xbc^\\xb8un\\x07\\x00\\x00" } ], "repeated": 0, "id": 12280 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32" } ], "repeated": 0, "id": 12281 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74869a4e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076e" } ], "repeated": 0, "id": 12282 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12283 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 12284 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b84343", "parentcaller": "0x75b84121", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076c" }, { "name": "KeyInformation", "value": "\\xffd0\\x14\\xffde$\\xffdf\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 12285 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7481bdff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076c" } ], "repeated": 0, "id": 12286 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b78e93", "parentcaller": "0x75b78e42", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12287 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b78e6e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12288 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b9fd84", "parentcaller": "0x755fee90", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000076c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000770" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 12289 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x755fefeb", "parentcaller": "0x755fbad3", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x00000770" }, { "name": "IoControlCode", "value": "0x00090240" }, { "name": "InBuffer", "value": "\\x01\\x00\\x0c\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 12290 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75623c8a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076c" } ], "repeated": 0, "id": 12291 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12292 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12293 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12294 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000077c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000076c" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12295 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000077c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05760000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12296 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000077c" } ], "repeated": 0, "id": 12297 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076c" } ], "repeated": 0, "id": 12298 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12299 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05760000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 12300 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12301 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12302 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12303 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000077c" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000076c" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12304 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x0000077c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05760000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12305 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000077c" } ], "repeated": 0, "id": 12306 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076c" } ], "repeated": 0, "id": 12307 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12308 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05760000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 12309 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b8feda", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12310 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12311 }, { "timestamp": "2026-06-29 22:15:05,812", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12312 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000076c" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12313 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000758" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05760000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12314 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 12315 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076c" } ], "repeated": 0, "id": 12316 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b8ff33", "parentcaller": "0x7647fa1d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12317 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8fffb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05760000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 12318 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00713000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12319 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b8ed45", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12320 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x76f4539b", "parentcaller": "0x75b90a7e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12321 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b90369", "parentcaller": "0x75b9009e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12322 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b90b2a", "parentcaller": "0x75b907d7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000076c" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12323 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b90b73", "parentcaller": "0x75b907d7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000758" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05760000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12324 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b90bcb", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 12325 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b90bd2", "parentcaller": "0x75b907d7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076c" } ], "repeated": 0, "id": 12326 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b8ed83", "parentcaller": "0x7647fa45", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12327 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b8efec", "parentcaller": "0x75b8eeae", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05760000" }, { "name": "RegionSize", "value": "0x00018000" } ], "repeated": 0, "id": 12328 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7560077e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000770" } ], "repeated": 0, "id": 12329 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x75600794", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000774" } ], "repeated": 0, "id": 12330 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x76f32546", "parentcaller": "0x76f31f50", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000778" } ], "repeated": 0, "id": 12331 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x74840ac4", "parentcaller": "0x7483e5b8", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "21CBC515-2DDE-4D66-8292-BA34BD25094A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 12332 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x73da55a4", "parentcaller": "0x73da61d5", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1F486A52-3CB1-48FD-8F50-B8DC300D9F9D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ECF31D61-E474-453C-BEE7-DE68E441C6D0" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 12333 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7412e548", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 1, "id": 12334 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*Rajesh*AppData*Local*Microsoft*Windows*Caches*cversions.3" } ], "repeated": 0, "id": 12335 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000778" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*Rajesh*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro" } ], "repeated": 0, "id": 12336 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9da9b", "parentcaller": "0x7412de75", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000778" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05760000" }, { "name": "SectionOffset", "value": "0x04ece45c" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12337 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000774" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*Rajesh*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000030.db" } ], "repeated": 0, "id": 12338 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9da9b", "parentcaller": "0x74122e49", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000774" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05770000" }, { "name": "SectionOffset", "value": "0x04ecf304" }, { "name": "ViewSize", "value": "0x0001a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12339 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x73da3ca7", "parentcaller": "0x73da6564", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 12340 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xf0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x02%\\x08\\x0c\\xfe\\xff\\xff\\xff\\xa4\\xf0\\xec\\x04d\\x16\\xefuh\\x00\\x00\\x00\\xd0\\x07\\x02\\x00d\\x00\\x00\\x00\\x885@\\x02h\\x00\\x00\\x00\\x885@\\x02\\x00\\xfdj\\x00" } ], "repeated": 0, "id": 12341 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75b81199", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000770" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 12342 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000770" }, { "name": "ObjectAttributesName", "value": "" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\" } ], "repeated": 0, "id": 12343 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000076c" }, { "name": "ObjectAttributesName", "value": "Control Panel\\International\\User Profile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile" } ], "repeated": 0, "id": 12344 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x73d2e537", "parentcaller": "0x73d45898", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000770" } ], "repeated": 0, "id": 12345 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x73d34fec", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 12346 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x73d34ffa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076c" } ], "repeated": 0, "id": 12347 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x76f2d794", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xeb\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00'\\x02\\x02\\x00\\x00\\x00\\xa0\\xb4\\xb9u\\xc0}\\xd3s \\x00\\x00\\x00\\x1d\\x00\\x13\\x00X\\xec\\xec\\x04\\xecZ\\x7f\\x02P\\xec\\xec\\x04\\x7fb\\xf4vq\\x00\\x00\\x00" } ], "repeated": 0, "id": 12348 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x76f2d7c7", "parentcaller": "0x75b81199", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 12349 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9530a", "parentcaller": "0x75b7c6d8", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000076c" }, { "name": "ObjectAttributesName", "value": "Control Panel\\International\\Geo" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\Geo" } ], "repeated": 0, "id": 12350 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9533d", "parentcaller": "0x75b7c6d8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076c" } ], "repeated": 0, "id": 12351 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b7c758", "parentcaller": "0x73da3d20", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 12352 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7412e548", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 12353 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*Rajesh*AppData*Local*Microsoft*Windows*Caches*cversions.3" } ], "repeated": 0, "id": 12354 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9285d", "parentcaller": "0x7412e294", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*Rajesh*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro" } ], "repeated": 0, "id": 12355 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9da9b", "parentcaller": "0x7412de75", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000758" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05790000" }, { "name": "SectionOffset", "value": "0x04ece494" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12356 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x741301d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 12357 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9f5a5", "parentcaller": "0x741301e1", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05790000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 12358 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x74130107", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000774" } ], "repeated": 0, "id": 12359 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9f5a5", "parentcaller": "0x74130122", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05770000" }, { "name": "RegionSize", "value": "0x0001a000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 12360 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7412e548", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 12361 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x741301d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000778" } ], "repeated": 0, "id": 12362 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b9f5a5", "parentcaller": "0x741301e1", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05760000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 12363 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75ba4eeb", "parentcaller": "0x75608c21", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00 \\x00\\xa4\\x0c\\x00\\x00\\xa8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 12364 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x756090b3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 12365 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "408", "caller": "0x75ba4eeb", "parentcaller": "0x7562f035", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x10!\\x00\\xa4\\x0c\\x00\\x00\\x98\\x01\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "408" } ], "repeated": 0, "id": 12366 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7584d2e3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 12367 }, { "timestamp": "2026-06-29 22:15:05,828", "thread_id": "408", "caller": "0x758449c7", "parentcaller": "0x7584d2e3", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\OneCoreCommonProxyStub" }, { "name": "DllBase", "value": "0x72e40000" } ], "repeated": 0, "id": 12368 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x748d2746", "parentcaller": "0x748d2d81", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "C2F03A33-21F5-47FA-B4BB-156362A2F239" }, { "name": "ClsContext", "value": "0x00000004", "pretty_value": "CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "6D5140C1-7436-11CE-8034-00AA006009FA" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 12369 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x753bb942", "parentcaller": "0x753bb8d6", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12370 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75442000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12371 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75442000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12372 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x753bbd8a", "parentcaller": "0x753bb912", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12373 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f679e9", "parentcaller": "0x753bdc27", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12374 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12375 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12376 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}" } ], "repeated": 0, "id": 12377 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000778" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}" } ], "repeated": 0, "id": 12378 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12379 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12380 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "H\\xe7j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xd4\\xe7\\x84\\xe7x\\xe7z\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00 \\xeaj\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12381 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\\ProxyStubClsid32" } ], "repeated": 0, "id": 12382 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000774" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000077a" }, { "name": "ObjectAttributesName", "value": "ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\\ProxyStubClsid32" } ], "repeated": 0, "id": 12383 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000776" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\\ProxyStubClsid32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12384 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000776" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12385 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xe7j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xac\\xe7\\\\xe7P\\xe7v\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xf8\\xe9j\\x05\\xbc^\\xb8uv\\x07\\x00\\x00" } ], "repeated": 0, "id": 12386 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\\ProxyStubClsid32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\\ProxyStubClsid32" } ], "repeated": 0, "id": 12387 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd35", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000776" } ], "repeated": 0, "id": 12388 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7580fd41", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000077a" } ], "repeated": 0, "id": 12389 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12390 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12391 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000032e" }, { "name": "ObjectAttributesName", "value": "CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 12392 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000778" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 12393 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12394 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12395 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc8\\xdbj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00T\\xdc\\x04\\xdc\\xf8\\xdbz\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xa0\\xdej\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12396 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 12397 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000077a" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 12398 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x757fcbd0", "parentcaller": "0x757fcb80", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 1, "id": 12399 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12400 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xdaj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xdb\\xec\\xda\\xe0\\xdaz\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x88\\xddj\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12401 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 12402 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12403 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12404 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xdaj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xdb\\xc4\\xda\\xb8\\xdaz\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xddj\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12405 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 12406 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12407 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12408 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xdaj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xdb\\xc4\\xda\\xb8\\xdaz\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xddj\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12409 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 12410 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12411 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12412 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x18\\xdbj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xa4\\xdbT\\xdbH\\xdbz\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xf0\\xddj\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12413 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocServer32" } ], "repeated": 0, "id": 12414 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000774" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000077a" }, { "name": "ObjectAttributesName", "value": "InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocServer32" } ], "repeated": 0, "id": 12415 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000776" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12416 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000776" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12417 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xdaj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xdal\\xda`\\xdav\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xddj\\x05\\xbc^\\xb8uv\\x07\\x00\\x00" } ], "repeated": 0, "id": 12418 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" } ], "repeated": 0, "id": 12419 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000776" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12420 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000776" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12421 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xdaj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xda\\x94\\xda\\x88\\xdav\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x020\\xddj\\x05\\xbc^\\xb8uv\\x07\\x00\\x00" } ], "repeated": 0, "id": 12422 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" } ], "repeated": 0, "id": 12423 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000776" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12424 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000776" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12425 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xdaj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xda\\x94\\xda\\x88\\xdav\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x020\\xddj\\x05\\xbc^\\xb8uv\\x07\\x00\\x00" } ], "repeated": 0, "id": 12426 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" } ], "repeated": 0, "id": 12427 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000776" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12428 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000776" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12429 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xdaj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xdaL\\xda@\\xdav\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xe8\\xdcj\\x05\\xbc^\\xb8uv\\x07\\x00\\x00" } ], "repeated": 0, "id": 12430 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" } ], "repeated": 0, "id": 12431 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x757fd74c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000776" } ], "repeated": 0, "id": 12432 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12433 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12434 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xdaj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xdb\\xec\\xda\\xe0\\xdaz\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\xddj\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12435 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" } ], "repeated": 0, "id": 12436 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000077a" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" } ], "repeated": 0, "id": 12437 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12438 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12439 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xdaj\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xdb\\xec\\xda\\xe0\\xdaz\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\xddj\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12440 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" } ], "repeated": 0, "id": 12441 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000077a" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" } ], "repeated": 0, "id": 12442 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x757fc97c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000077a" } ], "repeated": 0, "id": 12443 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12444 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 12445 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12446 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12447 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000032e" }, { "name": "ObjectAttributesName", "value": "CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 12448 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000778" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 12449 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12450 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12451 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd7j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xfc\\xd7\\xac\\xd7\\xa0\\xd7z\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00H\\xdaj\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12452 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 12453 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000077a" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 12454 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x757fcbd0", "parentcaller": "0x757fcb80", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 1, "id": 12455 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12456 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xd6j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xd6\\x94\\xd6\\x88\\xd6z\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x020\\xd9j\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12457 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 12458 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12459 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12460 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd6j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xd6l\\xd6`\\xd6z\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xd9j\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12461 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 12462 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12463 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12464 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd6j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xbc\\xd6l\\xd6`\\xd6z\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x08\\xd9j\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12465 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 12466 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12467 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12468 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd6j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xd7\\xfc\\xd6\\xf0\\xd6z\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x98\\xd9j\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12469 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocServer32" } ], "repeated": 0, "id": 12470 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000077a" }, { "name": "ObjectAttributesName", "value": "InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocServer32" } ], "repeated": 0, "id": 12471 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12472 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12473 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xd5j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00d\\xd6\\x14\\xd6\\x08\\xd6~\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xb0\\xd8j\\x05\\xbc^\\xb8u~\\x07\\x00\\x00" } ], "repeated": 0, "id": 12474 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" } ], "repeated": 0, "id": 12475 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12476 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12477 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xd6j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xd6<\\xd60\\xd6~\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xd8j\\x05\\xbc^\\xb8u~\\x07\\x00\\x00" } ], "repeated": 0, "id": 12478 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" } ], "repeated": 0, "id": 12479 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12480 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12481 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xd6j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xd6<\\xd60\\xd6~\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xd8j\\x05\\xbc^\\xb8u~\\x07\\x00\\x00" } ], "repeated": 0, "id": 12482 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" } ], "repeated": 0, "id": 12483 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12484 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12485 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb8\\xd5j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00D\\xd6\\xf4\\xd5\\xe8\\xd5~\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x90\\xd8j\\x05\\xbc^\\xb8u~\\x07\\x00\\x00" } ], "repeated": 0, "id": 12486 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32" } ], "repeated": 0, "id": 12487 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x757fd74c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000077e" } ], "repeated": 0, "id": 12488 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12489 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12490 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xd6j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xd6\\x94\\xd6\\x88\\xd6z\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xd9j\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12491 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" } ], "repeated": 0, "id": 12492 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000077a" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" } ], "repeated": 0, "id": 12493 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12494 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12495 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "X\\xd6j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xe4\\xd6\\x94\\xd6\\x88\\xd6z\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xd9j\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12496 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" } ], "repeated": 0, "id": 12497 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000077a" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" } ], "repeated": 0, "id": 12498 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12499 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12500 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x08\\xd6j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x94\\xd6D\\xd68\\xd6z\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xe0\\xd8j\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12501 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer32" } ], "repeated": 0, "id": 12502 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000077a" }, { "name": "ObjectAttributesName", "value": "LocalServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer32" } ], "repeated": 0, "id": 12503 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12504 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12505 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x88\\xd5j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x14\\xd6\\xc4\\xd5\\xb8\\xd5z\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02`\\xd8j\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12506 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 12507 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12508 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12509 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd5j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xd6\\xfc\\xd5\\xf0\\xd5z\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x98\\xd8j\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12510 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer" } ], "repeated": 0, "id": 12511 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000077a" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer" } ], "repeated": 0, "id": 12512 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12513 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12514 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000032e" }, { "name": "ObjectAttributesName", "value": "CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 12515 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 12516 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12517 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077e" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12518 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd6j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00L\\xd7\\xfc\\xd6\\xf0\\xd6~\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\x98\\xd9j\\x05\\xbc^\\xb8u~\\x07\\x00\\x00" } ], "repeated": 0, "id": 12519 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\Elevation" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\Elevation" } ], "repeated": 0, "id": 12520 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000077e" }, { "name": "ObjectAttributesName", "value": "Elevation" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\Elevation" } ], "repeated": 0, "id": 12521 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7587cad3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000077e" } ], "repeated": 0, "id": 12522 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x757fc97c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000077a" } ], "repeated": 0, "id": 12523 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12524 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000346" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12525 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000346" }, { "name": "ObjectAttributesName", "value": "CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 12526 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000778" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 12527 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12528 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000077a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12529 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe8\\xe4j\\x05\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00t\\xe5$\\xe5\\x18\\xe5z\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x19\\x00\\x02\\x00\\xc0\\xe7j\\x05\\xbc^\\xb8uz\\x07\\x00\\x00" } ], "repeated": 0, "id": 12530 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 12531 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x0000077a" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 12532 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x758117e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000077a" } ], "repeated": 0, "id": 12533 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12534 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 12535 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "OneCoreUAPCommonProxyStub.dll" } ], "repeated": 0, "id": 12536 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" } ], "repeated": 0, "id": 12537 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f5e5df", "parentcaller": "0x76f5e155", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000778" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 12538 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f5e61c", "parentcaller": "0x76f5e155", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000077c" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000778" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\OneCoreUAPCommonProxyStub.dll" } ], "repeated": 0, "id": 12539 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000077c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x72a90000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x003a1000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12540 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f4ffdf", "parentcaller": "0x76f50764", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x72db7000" }, { "name": "ModuleName", "value": "OneCoreUAPCommonProxyStub.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12541 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12542 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12543 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x72db5000" }, { "name": "ModuleName", "value": "OneCoreUAPCommonProxyStub.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12544 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x72db5000" }, { "name": "ModuleName", "value": "OneCoreUAPCommonProxyStub.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12545 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f5e670", "parentcaller": "0x76f5e155", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000077c" } ], "repeated": 0, "id": 12546 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f5e678", "parentcaller": "0x76f5e155", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000778" } ], "repeated": 0, "id": 12547 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12548 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 12549 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12550 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" } ], "repeated": 0, "id": 12551 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000778" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 12552 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000778" } ], "repeated": 0, "id": 12553 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub" }, { "name": "DllBase", "value": "0x72a90000" } ], "repeated": 0, "id": 12554 }, { "timestamp": "2026-06-29 22:15:05,843", "thread_id": "408", "caller": "0x76f4dd42", "parentcaller": "0x76f51843", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\OneCoreUAPCommonProxyStub" }, { "name": "BaseAddress", "value": "0x72a90000" }, { "name": "InitRoutine", "value": "0x72daace0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 12555 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12556 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "408", "caller": "0x75b911a9", "parentcaller": "0x75b91102", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 12557 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "408", "caller": "0x758817d7", "parentcaller": "0x75831999", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000774" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000004ac" }, { "name": "ObjectAttributesName", "value": "Windows.Storage.Streams.DataWriter" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter" } ], "repeated": 0, "id": 12558 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "408", "caller": "0x75881887", "parentcaller": "0x75881832", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000774" }, { "name": "KeyInformation", "value": "?\t(\\xffce}\\x07\\xffdd\\x01\\x00\\x00\\x00\\x00D\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00t\\x00o\\x00r\\x00a\\x00g\\x00e\\x00.\\x00S\\x00t\\x00r\\x00e\\x00a\\x00m\\x00s\\x00.\\x00D\\x00a\\x00t\\x00a\\x00W\\x00r\\x00i\\x00t\\x00e\\x00r\\x00\\x00\\x00\\x02\\x00\\xffcc\\x01\\x02\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00l\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00h\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\xfff4\\xfff2j\\x05\\xffde]\\xfff4v$Dn\\x00\\xffde]\\xfff4v\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0pm\\x00\\xffe0pm\\x00\\x009p\\x00\\xff80\\xfff4j\\x05#\\x0c\\xff83u\\x02\\x00\\x00\\x00\\xff93\\x0c\\xff83uT\\x18\\xff9au`\t\\xff83u\\x10Dn\\x00\\xfff4\\x0c\\xff83u\\x13\\xffdf\\xff84u(\\xfff6j\\x05\\x10Dn\\x00\\x01\\x00\\x00\\x00T\\x18\\xff9au0Xp\\x00@\\x00\\x00\\x00\\x009p\\x00`\t\\xff83u\\xfff0\\xff86\\xff89u\\x06\\x00\\x00\\x008\\xff85n\\x00\\xffde]\\xfff4v\\xffe0\\x06o\\x00\\x00\\x00\\x00\\x00 \\xffb0j\\x00\\xffbf}\\xff97|\\x00\\x00\\x00\\x00\\xffe0pm\\x00\\xff90\\xffe3\\xff84u8\\xfffb\\xff99u\\xffd8\\xfff8k\\x00\\xffc8(p\\x00(\\xfff6j\\x05\\x08\\xffe4\\xff84u0Xp\\x00 \\x00\\x00\\x00\\x12\\x00\\x05\\x00 \\xfff4j\\x05\\x04\\x03o\\x00 \\x00\\x00\\x00\\x02\\x00\\x0b\\x000\\xfff4j\\x05D?n\\x00(\\xfff4j\\x05\\x7fb\\xfff4v%\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\xffd0\\x07\\x02\\x00d\\x00\\x00\\x00\\xffdc\\xff82n\\x00P\\x00\\x00\\x00\\xffd0\\x07\\x02\\x00d\\x00\\x00\\x00\\xfff0\\x02o\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfffel\\x000?n\\x00\\x00\\x00\\x00\\x00\\xffe0\\x06o\\x00\\xffe0\\x06o\\x00\\x00\\x00\\x00\\x00\\xffe0pm\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xffe0\\x01\\x02\\x00\\x00\\x00\\x00\\x00D\\x00\\x00\\x00|\\x0c\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00x\\x0c\\x02\\x00\\xffde]\\xfff4vH\\xfff4j\\x05\\xffde]\\xfff4v\\xffe0\\x06o\\x00\\xffde]\\xfff4v\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0pm\\x00\\xffe0\\x06o\\x00\\x10Dn\\x00\\xffe0pm\\x00|\\xfff4j\\x05@\\xffa0\\xff82u(Dn\\x00\\xffe0\\x06o\\x000\\xff9f\\xff82u\\xffe0\\x06o\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 12559 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "408", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000774" }, { "name": "ObjectAttributesName", "value": "CustomAttributes" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\CustomAttributes" } ], "repeated": 0, "id": 12560 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "408", "caller": "0x75b8696b", "parentcaller": "0x7582b908", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000774" } ], "repeated": 0, "id": 12561 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "408", "caller": "0x72ef1acc", "parentcaller": "0x72edd105", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 12562 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "408", "caller": "0x758383c5", "parentcaller": "0x758343ce", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 5, "id": 12563 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "408", "caller": "0x75ba4eeb", "parentcaller": "0x755fd75f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x10!\\x00\\xa4\\x0c\\x00\\x00\\x98\\x01\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "408" } ], "repeated": 0, "id": 12564 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f561ea", "parentcaller": "0x75ba9549", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000778" } ], "repeated": 0, "id": 12565 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f56211", "parentcaller": "0x75ba9549", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000077c" } ], "repeated": 0, "id": 12566 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12567 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12568 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12569 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "Applications\\InstallFlashPlayer.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Applications\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12570 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Applications\\InstallFlashPlayer.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Applications\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12571 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12572 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12573 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12574 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12575 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x75b8fe16", "parentcaller": "0x7489d088", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc000007c", "arguments": [ { "name": "TokenInformationClass", "value": "12" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12576 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12577 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12578 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "MPR.dll" } ], "repeated": 0, "id": 12579 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\MPR.dll" } ], "repeated": 0, "id": 12580 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\mpr.dll" } ], "repeated": 0, "id": 12581 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e32b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000077c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\mpr.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 12582 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e32b", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000778" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000077c" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\mpr.dll" } ], "repeated": 0, "id": 12583 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000778" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x72a70000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00019000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12584 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f4ffdf", "parentcaller": "0x76f50764", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x72a86000" }, { "name": "ModuleName", "value": "MPR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12585 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12586 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12587 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x72a84000" }, { "name": "ModuleName", "value": "MPR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12588 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000778" } ], "repeated": 0, "id": 12589 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e32b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000077c" } ], "repeated": 0, "id": 12590 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x72a84000" }, { "name": "ModuleName", "value": "MPR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12591 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12592 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 12593 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12594 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\MPR.dll" } ], "repeated": 0, "id": 12595 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000077c" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\mpr.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 12596 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000077c" } ], "repeated": 0, "id": 12597 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\MPR" }, { "name": "DllBase", "value": "0x72a70000" } ], "repeated": 0, "id": 12598 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12599 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "system\\CurrentControlSet\\control\\NetworkProvider\\HwOrder" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\control\\NetworkProvider\\HwOrder" } ], "repeated": 0, "id": 12600 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12601 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "system\\CurrentControlSet\\control\\NetworkProvider\\ProviderOrder" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\control\\NetworkProvider\\ProviderOrder" } ], "repeated": 0, "id": 12602 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\mpr" }, { "name": "BaseAddress", "value": "0x72a70000" }, { "name": "InitRoutine", "value": "0x72a73540" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 12603 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12604 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12605 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x75b759c2", "parentcaller": "0x72a73d63", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\" } ], "repeated": 0, "id": 12606 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x75b75a25", "parentcaller": "0x72a73d63", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000778" }, { "name": "DesiredAccess", "value": "0x00100000", "pretty_value": "SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 12607 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x75ba90ee", "parentcaller": "0x75b75a44", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000778" }, { "name": "HandleName", "value": "C:\\" }, { "name": "FileInformationClass", "value": "9", "pretty_value": "FileNameInformation" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00\\\\x00" } ], "repeated": 0, "id": 12608 }, { "timestamp": "2026-06-29 22:15:05,859", "thread_id": "168", "caller": "0x75b75a7a", "parentcaller": "0x72a73d63", "category": "filesystem", "api": "GetVolumeInformationByHandleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Handle", "value": "0x00000778" }, { "name": "VolumeName", "value": "" }, { "name": "VolumeSerial", "value": "0x00000000" } ], "repeated": 0, "id": 12609 }, { "timestamp": "2026-06-29 22:15:05,875", "thread_id": "168", "caller": "0x75b75a85", "parentcaller": "0x72a73d63", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000778" } ], "repeated": 0, "id": 12610 }, { "timestamp": "2026-06-29 22:15:05,875", "thread_id": "168", "caller": "0x75b759c2", "parentcaller": "0x72a73d63", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\" } ], "repeated": 0, "id": 12611 }, { "timestamp": "2026-06-29 22:15:05,875", "thread_id": "168", "caller": "0x75b75a25", "parentcaller": "0x72a73d63", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000778" }, { "name": "DesiredAccess", "value": "0x00100000", "pretty_value": "SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 12612 }, { "timestamp": "2026-06-29 22:15:05,875", "thread_id": "168", "caller": "0x75ba90ee", "parentcaller": "0x75b75a44", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000778" }, { "name": "HandleName", "value": "C:\\" }, { "name": "FileInformationClass", "value": "9", "pretty_value": "FileNameInformation" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00\\\\x00" } ], "repeated": 0, "id": 12613 }, { "timestamp": "2026-06-29 22:15:05,875", "thread_id": "168", "caller": "0x75b75a7a", "parentcaller": "0x72a73d63", "category": "filesystem", "api": "GetVolumeInformationByHandleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Handle", "value": "0x00000778" }, { "name": "VolumeName", "value": "" }, { "name": "VolumeSerial", "value": "0x00000000" } ], "repeated": 0, "id": 12614 }, { "timestamp": "2026-06-29 22:15:05,875", "thread_id": "168", "caller": "0x75b75a85", "parentcaller": "0x72a73d63", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000778" } ], "repeated": 0, "id": 12615 }, { "timestamp": "2026-06-29 22:15:05,875", "thread_id": "168", "caller": "0x75b759c2", "parentcaller": "0x72a73d63", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\" } ], "repeated": 0, "id": 12616 }, { "timestamp": "2026-06-29 22:15:05,875", "thread_id": "168", "caller": "0x75b75a25", "parentcaller": "0x72a73d63", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000778" }, { "name": "DesiredAccess", "value": "0x00100000", "pretty_value": "SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 12617 }, { "timestamp": "2026-06-29 22:15:05,875", "thread_id": "168", "caller": "0x75ba90ee", "parentcaller": "0x75b75a44", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000778" }, { "name": "HandleName", "value": "C:\\" }, { "name": "FileInformationClass", "value": "9", "pretty_value": "FileNameInformation" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00\\\\x00" } ], "repeated": 0, "id": 12618 }, { "timestamp": "2026-06-29 22:15:05,875", "thread_id": "168", "caller": "0x75b75a7a", "parentcaller": "0x72a73d63", "category": "filesystem", "api": "GetVolumeInformationByHandleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Handle", "value": "0x00000778" }, { "name": "VolumeName", "value": "" }, { "name": "VolumeSerial", "value": "0x00000000" } ], "repeated": 0, "id": 12619 }, { "timestamp": "2026-06-29 22:15:05,875", "thread_id": "168", "caller": "0x75b75a85", "parentcaller": "0x72a73d63", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000778" } ], "repeated": 0, "id": 12620 }, { "timestamp": "2026-06-29 22:15:05,875", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12621 }, { "timestamp": "2026-06-29 22:15:05,875", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12622 }, { "timestamp": "2026-06-29 22:15:05,875", "thread_id": "348", "caller": "0x76f679e9", "parentcaller": "0x753bdc27", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 12623 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x748a3f26", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000778" } ], "repeated": 0, "id": 12624 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x76f5106f", "parentcaller": "0x76f4f009", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "pcacli.dll" } ], "repeated": 0, "id": 12625 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x76f5210c", "parentcaller": "0x76f52016", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\pcacli.dll" } ], "repeated": 0, "id": 12626 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x76f5e5df", "parentcaller": "0x76f5e155", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000778" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\pcacli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 12627 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x76f5e61c", "parentcaller": "0x76f5e155", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000078c" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000778" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\pcacli.dll" } ], "repeated": 0, "id": 12628 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x76f511fc", "parentcaller": "0x76f51367", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000078c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x72a50000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00011000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12629 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12630 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12631 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x76f39d1b", "parentcaller": "0x76f4b470", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x72a5d000" }, { "name": "ModuleName", "value": "pcacli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12632 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x76f5e670", "parentcaller": "0x76f5e155", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000078c" } ], "repeated": 0, "id": 12633 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x76f5e678", "parentcaller": "0x76f5e155", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000778" } ], "repeated": 0, "id": 12634 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x76f50ce0", "parentcaller": "0x76f3e463", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x72a5d000" }, { "name": "ModuleName", "value": "pcacli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12635 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DDRAW.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12636 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D8.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 12637 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x746394d9", "parentcaller": "0x7463924b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "D3D9.DLL" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12638 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x74639691", "parentcaller": "0x74638a62", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\pcacli.dll" } ], "repeated": 0, "id": 12639 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x746396d0", "parentcaller": "0x74638a62", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000778" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\pcacli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 12640 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000778" } ], "repeated": 0, "id": 12641 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x74639771", "parentcaller": "0x74638a62", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\pcacli" }, { "name": "DllBase", "value": "0x72a50000" } ], "repeated": 0, "id": 12642 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x72a549cb", "parentcaller": "0x72a54585", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000078c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags" } ], "repeated": 0, "id": 12643 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x72a54a7b", "parentcaller": "0x72a54585", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000078c" } ], "repeated": 0, "id": 12644 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x75b94081", "parentcaller": "0x72a54db5", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-eventing-provider-l1-1-0.dll" }, { "name": "ModuleHandle", "value": "0x75a80000" } ], "repeated": 0, "id": 12645 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x75b8ef86", "parentcaller": "0x72a54df2", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\pcacli" }, { "name": "BaseAddress", "value": "0x72a50000" }, { "name": "InitRoutine", "value": "0x72a558f0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 12646 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x76f4fe9f", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12647 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x76f4fed4", "parentcaller": "0x76f4fd94", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12648 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x75bac408", "parentcaller": "0x72a53bec", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "1" }, { "name": "ThreadInformation", "value": "g\\x1az\\xba\\x14\\x08\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x945w\\x00\\x00\\x00\\x00\\x00\\x10^_\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 12649 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12650 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\AppCompat" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\AppCompat" } ], "repeated": 0, "id": 12651 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12652 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x75b85d04", "parentcaller": "0x75b85885", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000794" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\AppCompat" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppCompat" } ], "repeated": 0, "id": 12653 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75b84d1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000794" } ], "repeated": 0, "id": 12654 }, { "timestamp": "2026-06-29 22:15:06,062", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00715000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12655 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75babca3", "parentcaller": "0x7489707d", "category": "threading", "api": "NtResumeThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000788" }, { "name": "SuspendCount", "value": "1" }, { "name": "ThreadId", "value": "5060" }, { "name": "ProcessId", "value": "3760" } ], "repeated": 0, "id": 12656 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12657 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12658 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12659 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "Applications\\InstallFlashPlayer.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Applications\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12660 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Applications\\InstallFlashPlayer.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Applications\\InstallFlashPlayer.exe" } ], "repeated": 0, "id": 12661 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12662 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12663 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xe3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\\\xe4\\x0c\\xe4\\x00\\xe4\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xa8\\xe6\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 12664 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile" } ], "repeated": 0, "id": 12665 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12666 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12667 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x98\\xec\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00$\\xed\\xd4\\xec\\xc8\\xec\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\xef\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 12668 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\Application" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Application" } ], "repeated": 0, "id": 12669 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003ea" }, { "name": "ObjectAttributesName", "value": "Application" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Application" } ], "repeated": 0, "id": 12670 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12671 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12672 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x8c\\xe4<\\xe40\\xe4\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xd8\\xe6\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 12673 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 12674 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12675 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12676 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf8\\xe3\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x84\\xe44\\xe4(\\xe4\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xe6\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 12677 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\Application" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Application" } ], "repeated": 0, "id": 12678 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003ea" }, { "name": "ObjectAttributesName", "value": "Application" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Application" } ], "repeated": 0, "id": 12679 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12680 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12681 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "(\\xe0\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xb4\\xe0d\\xe0X\\xe0\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\xe3\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 12682 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 12683 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000794" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000069a" }, { "name": "ObjectAttributesName", "value": "command" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 12684 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000796" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\command" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12685 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000796" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12686 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xdf\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00<\\xe0\\xec\\xdf\\xe0\\xdf\\x96\\x07\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x88\\xe2\\xec\\x04\\xbc^\\xb8u\\x96\\x07\\x00\\x00" } ], "repeated": 0, "id": 12687 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas\\command" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command" } ], "repeated": 0, "id": 12688 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x755f7b27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000796" } ], "repeated": 0, "id": 12689 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b859d1", "parentcaller": "0x75b8583c", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 12690 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12691 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000326" }, { "name": "KeyInformation", "value": "\\x01\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12692 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000326" }, { "name": "ObjectAttributesName", "value": "Applications\\%1.exe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Applications\\%1.exe" } ], "repeated": 0, "id": 12693 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Applications\\%1.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Applications\\%1.exe" } ], "repeated": 0, "id": 12694 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b7ad0e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12695 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ea" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12696 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xe4\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\x9c\\xe4L\\xe4@\\xe4\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe8\\xe6\\xec\\x04\\xbc^\\xb8u\\xea\\x03\\x00\\x00" } ], "repeated": 0, "id": 12697 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\Progid" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Progid" } ], "repeated": 0, "id": 12698 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b86068", "parentcaller": "0x75b7ad2b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000003ea" }, { "name": "ObjectAttributesName", "value": "Progid" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Progid" } ], "repeated": 0, "id": 12699 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8623b", "parentcaller": "0x75b82213", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 12700 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85ebc", "parentcaller": "0x75b82249", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000069a" }, { "name": "KeyInformation", "value": "\\x01\\x04\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 12701 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f538d9", "parentcaller": "0x75b86104", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xee\\xec\\x04\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x07\\x00\\x00\\x00\\x07\\x00\\xfc\\xee\\xac\\xee\\xa0\\xee\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02H\\xf1\\xec\\x04\\xbc^\\xb8u\\x9a\\x06\\x00\\x00" } ], "repeated": 0, "id": 12702 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b85f55", "parentcaller": "0x75b82249", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\exefile\\shell\\runas" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas" } ], "repeated": 0, "id": 12703 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x74841027", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000784" } ], "repeated": 0, "id": 12704 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x74841033", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000788" } ], "repeated": 0, "id": 12705 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x7484103f", "category": "system", "api": "NtClose", "status": false, "return": "0xffffffffc0000008", "pretty_return": "INVALID_HANDLE", "arguments": [ { "name": "Handle", "value": "0x00000000" } ], "repeated": 1, "id": 12706 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7621302b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000071a" } ], "repeated": 0, "id": 12707 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74839086", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" } ], "repeated": 0, "id": 12708 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000528" } ], "repeated": 0, "id": 12709 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000538" } ], "repeated": 0, "id": 12710 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7621302b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 12711 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74839086", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005bc" } ], "repeated": 0, "id": 12712 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b4" } ], "repeated": 0, "id": 12713 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b8" } ], "repeated": 0, "id": 12714 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7646995b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000068e" } ], "repeated": 0, "id": 12715 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74839086", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000696" } ], "repeated": 0, "id": 12716 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000692" } ], "repeated": 0, "id": 12717 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000686" } ], "repeated": 0, "id": 12718 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7646995b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000069e" } ], "repeated": 0, "id": 12719 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74839086", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a6" } ], "repeated": 0, "id": 12720 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a2" } ], "repeated": 0, "id": 12721 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000069a" } ], "repeated": 0, "id": 12722 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7646995b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ae" } ], "repeated": 0, "id": 12723 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74839086", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b6" } ], "repeated": 0, "id": 12724 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b2" } ], "repeated": 0, "id": 12725 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006aa" } ], "repeated": 0, "id": 12726 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76469f12", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000066a" } ], "repeated": 0, "id": 12727 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7646995b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c6" } ], "repeated": 0, "id": 12728 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74839086", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ce" } ], "repeated": 0, "id": 12729 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ca" } ], "repeated": 0, "id": 12730 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c2" } ], "repeated": 0, "id": 12731 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7646995b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006d6" } ], "repeated": 0, "id": 12732 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74839086", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006de" } ], "repeated": 0, "id": 12733 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006da" } ], "repeated": 0, "id": 12734 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006d2" } ], "repeated": 0, "id": 12735 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7646995b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006e6" } ], "repeated": 0, "id": 12736 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74839086", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ee" } ], "repeated": 0, "id": 12737 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ea" } ], "repeated": 0, "id": 12738 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006e2" } ], "repeated": 0, "id": 12739 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76469f12", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006be" } ], "repeated": 0, "id": 12740 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7646995b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006fa" } ], "repeated": 0, "id": 12741 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74839086", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000702" } ], "repeated": 0, "id": 12742 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006fe" } ], "repeated": 0, "id": 12743 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000676" } ], "repeated": 0, "id": 12744 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7646995b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000070a" } ], "repeated": 0, "id": 12745 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x74839086", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000712" } ], "repeated": 0, "id": 12746 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000070e" } ], "repeated": 0, "id": 12747 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000706" } ], "repeated": 0, "id": 12748 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x76469f12", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" } ], "repeated": 0, "id": 12749 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75818b43", "parentcaller": "0x758189c5", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 12750 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7641f8c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000406" } ], "repeated": 0, "id": 12751 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7641f8c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040a" } ], "repeated": 0, "id": 12752 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7641f8c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000416" } ], "repeated": 0, "id": 12753 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7641f8c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041e" } ], "repeated": 0, "id": 12754 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x7641f8c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000426" } ], "repeated": 0, "id": 12755 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000422" } ], "repeated": 0, "id": 12756 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041a" } ], "repeated": 0, "id": 12757 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000412" } ], "repeated": 0, "id": 12758 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fe" } ], "repeated": 0, "id": 12759 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040e" } ], "repeated": 0, "id": 12760 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x75625244", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ea" } ], "repeated": 0, "id": 12761 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8696b", "parentcaller": "0x747d568e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 12762 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "5028", "caller": "0x004028e4", "parentcaller": "0x00401b85", "category": "process", "api": "ShellExecuteExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "FilePath", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" }, { "name": "Parameters", "value": "" }, { "name": "Show", "value": "1", "pretty_value": "SW_SHOWNORMAL" } ], "repeated": 0, "id": 12763 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "5028", "caller": "0x00403e56", "parentcaller": "0x004029b1", "category": "network", "api": "WSASocketW", "status": true, "return": "0x000002e8", "arguments": [ { "name": "af", "value": "2", "pretty_value": "AF_INET" }, { "name": "type", "value": "2", "pretty_value": "SOCK_DGRAM" }, { "name": "protocol", "value": "17", "pretty_value": "IPPROTO_UDP" }, { "name": "socket", "value": "744" } ], "repeated": 0, "id": 12764 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "5028", "caller": "0x00403e90", "parentcaller": "0x004029b1", "category": "network", "api": "setsockopt", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "744" }, { "name": "level", "value": "0x0000ffff" }, { "name": "optname", "value": "0x00000020" }, { "name": "optval", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 12765 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "5028", "caller": "0x00403e9f", "parentcaller": "0x004029b1", "category": "network", "api": "bind", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "744" }, { "name": "ip", "value": "0.0.0.0" }, { "name": "port", "value": "0" } ], "repeated": 0, "id": 12766 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "5028", "caller": "0x00403ec0", "parentcaller": "0x004029b1", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002e8" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "T\\x00\\x00\\x00\\x8c\\x06f\\x00" } ], "repeated": 0, "id": 12767 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00717000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12768 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f59a93", "parentcaller": "0x76f59a15", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000624" } ], "repeated": 0, "id": 12769 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75151520", "parentcaller": "0x76f292ed", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06e00000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 12770 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "5028", "caller": "0x00403f40", "parentcaller": "0x00402a57", "category": "network", "api": "WSASendTo", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "744" }, { "name": "ip", "value": "85.114.128.127" }, { "name": "port", "value": "53" }, { "name": "Buffer", "value": "!\\xd2\\xfd\\xed\\x82\\x9c\\x9e\\x98\\x1d9_2:k\\xa4c\\xc5\\x0c\\xe0n" } ], "repeated": 0, "id": 12771 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "5028", "caller": "0x00401f0c", "parentcaller": "0x03a283d1", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "1000" } ], "repeated": 0, "id": 12772 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f29362", "parentcaller": "0x76f32725", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 12773 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "2816", "caller": "0x00402a83", "parentcaller": "0x00000000", "category": "network", "api": "closesocket", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "744" } ], "repeated": 0, "id": 12774 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f29362", "parentcaller": "0x76f32725", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\acppage" }, { "name": "DllBase", "value": "0x73490000" } ], "repeated": 0, "id": 12775 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f5a46a", "parentcaller": "0x76f59852", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05700000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 12776 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "2816", "caller": "0x004038cd", "parentcaller": "0x00000000", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002e8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 12777 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f5a478", "parentcaller": "0x76f59852", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000066c" } ], "repeated": 0, "id": 12778 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f5a478", "parentcaller": "0x76f59852", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\sfc" }, { "name": "DllBase", "value": "0x66680000" } ], "repeated": 0, "id": 12779 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12780 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "2816", "caller": "0x004038cd", "parentcaller": "0x00000000", "category": "threading", "api": "NtYieldExecution", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12781 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12782 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f66858", "parentcaller": "0x76f5990d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x66680000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 12783 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f59a93", "parentcaller": "0x76f59a15", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 12784 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f59a93", "parentcaller": "0x76f59a15", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\msi" }, { "name": "DllBase", "value": "0x731f0000" } ], "repeated": 0, "id": 12785 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12786 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12787 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f66858", "parentcaller": "0x76f5990d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x731f0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 12788 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75151520", "parentcaller": "0x76f292ed", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05880000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 12789 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "2816", "caller": "0x004038cd", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 12790 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "2816", "caller": "0x004038cd", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 12791 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "2816", "caller": "0x004038cd", "parentcaller": "0x00000000", "category": "threading", "api": "NtYieldExecution", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12792 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "2816", "caller": "0x004038cd", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 12793 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "2816", "caller": "0x004038cd", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 12794 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x75b8f11f", "parentcaller": "0x731a5bb3", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 12795 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f59a93", "parentcaller": "0x76f59a15", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 12796 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f59a93", "parentcaller": "0x76f59a15", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 12797 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f59a93", "parentcaller": "0x76f59a15", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\AEPIC" }, { "name": "DllBase", "value": "0x73170000" } ], "repeated": 0, "id": 12798 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f29e57", "parentcaller": "0x73148f27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d0" } ], "repeated": 0, "id": 12799 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f29e5f", "parentcaller": "0x73148f27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000628" } ], "repeated": 0, "id": 12800 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f29e57", "parentcaller": "0x73148f40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000062c" } ], "repeated": 0, "id": 12801 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f29e5f", "parentcaller": "0x73148f40", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000630" } ], "repeated": 0, "id": 12802 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f29e57", "parentcaller": "0x731474ec", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 12803 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f29e5f", "parentcaller": "0x731474ec", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 12804 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f29e57", "parentcaller": "0x7314747c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 12805 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f29e5f", "parentcaller": "0x7314747c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 12806 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f29e5f", "parentcaller": "0x7314747c", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ntmarta" }, { "name": "DllBase", "value": "0x73140000" } ], "repeated": 0, "id": 12807 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12808 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12809 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f66858", "parentcaller": "0x76f5990d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73140000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 12810 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12811 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12812 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f66858", "parentcaller": "0x76f5990d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73170000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 12813 }, { "timestamp": "2026-06-29 22:15:07,343", "thread_id": "168", "caller": "0x76f4dd42", "parentcaller": "0x76f5a5ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\sfc_os" }, { "name": "DllBase", "value": "0x73130000" } ], "repeated": 0, "id": 12814 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x76acd9bd", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000065c" } ], "repeated": 0, "id": 12815 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x76acd9cf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 12816 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x76acd9bd", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000664" } ], "repeated": 0, "id": 12817 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x76acd9cf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000660" } ], "repeated": 0, "id": 12818 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f59a93", "parentcaller": "0x76f59a15", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" } ], "repeated": 0, "id": 12819 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f59a93", "parentcaller": "0x76f59a15", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000654" } ], "repeated": 0, "id": 12820 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f59a93", "parentcaller": "0x76f59a15", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 12821 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f59a93", "parentcaller": "0x76f599ca", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" } ], "repeated": 0, "id": 12822 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b8f11f", "parentcaller": "0x76ae7ce7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 12823 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b8f11f", "parentcaller": "0x76ae7ce7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\SETUPAPI" }, { "name": "DllBase", "value": "0x76ab0000" } ], "repeated": 0, "id": 12824 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12825 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12826 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f66858", "parentcaller": "0x76f5990d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76ab0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 12827 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12828 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12829 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f66858", "parentcaller": "0x76f5990d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73130000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 12830 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12831 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12832 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f66858", "parentcaller": "0x75b8ef86", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73490000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 12833 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f59a93", "parentcaller": "0x76f59a15", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000530" } ], "repeated": 0, "id": 12834 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75151520", "parentcaller": "0x76f292ed", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056e0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 12835 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f29362", "parentcaller": "0x76f32725", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" } ], "repeated": 0, "id": 12836 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f59a93", "parentcaller": "0x76f599ca", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052c" } ], "repeated": 0, "id": 12837 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f59a93", "parentcaller": "0x76f59a15", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 12838 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x73b650e7", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 12839 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b94290", "parentcaller": "0x73b647ee", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 12840 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b911a9", "parentcaller": "0x73b650e7", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 12841 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b94290", "parentcaller": "0x73b647ee", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 12842 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b94290", "parentcaller": "0x73b647ee", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\ntshrui" }, { "name": "DllBase", "value": "0x73b50000" } ], "repeated": 0, "id": 12843 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f5a46a", "parentcaller": "0x76f59852", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x056f0000" }, { "name": "RegionSize", "value": "0x00008000" } ], "repeated": 0, "id": 12844 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f5a478", "parentcaller": "0x76f59852", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000584" } ], "repeated": 0, "id": 12845 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12846 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12847 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f66858", "parentcaller": "0x75b8ef86", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73b50000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 12848 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f4dd42", "parentcaller": "0x76f5a5ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Program Files\\7-Zip\\7-zip32" }, { "name": "DllBase", "value": "0x735d0000" } ], "repeated": 0, "id": 12849 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12850 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12851 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f66858", "parentcaller": "0x75b8ef86", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x735d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 12852 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b8f11f", "parentcaller": "0x740a54d3", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 12853 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b8f11f", "parentcaller": "0x740a54d3", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\twext" }, { "name": "DllBase", "value": "0x740a0000" } ], "repeated": 0, "id": 12854 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f5a46a", "parentcaller": "0x76f59852", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05040000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 12855 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f5a478", "parentcaller": "0x76f59852", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044c" } ], "repeated": 0, "id": 12856 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61db1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12857 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f61e28", "parentcaller": "0x76f61de1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12858 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f66858", "parentcaller": "0x75b8ef86", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x740a0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 12859 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b8f11f", "parentcaller": "0x758069c0", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x75450000" } ], "repeated": 0, "id": 12860 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f6b4e6", "parentcaller": "0x75bab545", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "168" } ], "repeated": 0, "id": 12861 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x760b45ae", "parentcaller": "0x760b442c", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 12862 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x753cb380", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000448" } ], "repeated": 0, "id": 12863 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x75b9106a", "parentcaller": "0x753cb402", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000450" } ], "repeated": 0, "id": 12864 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "168", "caller": "0x76f6b509", "parentcaller": "0x75bab545", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 12865 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "2816", "caller": "0x00403784", "parentcaller": "0x004038ef", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "ThreadHandle", "value": "0x000002f0" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Windows\\system32\\cmd.exe" }, { "name": "CommandLine", "value": "\"C:\\Windows\\system32\\cmd.exe\"" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "2144" } ], "repeated": 0, "id": 12866 }, { "timestamp": "2026-06-29 22:15:07,359", "thread_id": "2816", "caller": "0x00403784", "parentcaller": "0x004038ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 12867 }, { "timestamp": "2026-06-29 22:15:07,390", "thread_id": "2816", "caller": "0x00403784", "parentcaller": "0x004038ef", "category": "process", "api": "CreateProcessW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Windows\\system32\\cmd.exe" }, { "name": "CommandLine", "value": "" }, { "name": "CreationFlags", "value": "0x08000004" }, { "name": "ProcessId", "value": "2144" }, { "name": "ThreadId", "value": "2492" }, { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "ThreadHandle", "value": "0x000002f0" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12868 }, { "timestamp": "2026-06-29 22:15:07,422", "thread_id": "2816", "caller": "0x004037ab", "parentcaller": "0x004038ef", "category": "threading", "api": "NtResumeThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000002f0" }, { "name": "SuspendCount", "value": "1" }, { "name": "ThreadId", "value": "2492" }, { "name": "ProcessId", "value": "2144" } ], "repeated": 0, "id": 12869 }, { "timestamp": "2026-06-29 22:15:07,422", "thread_id": "2816", "caller": "0x004037b6", "parentcaller": "0x004038ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f0" } ], "repeated": 0, "id": 12870 }, { "timestamp": "2026-06-29 22:15:07,422", "thread_id": "2816", "caller": "0x004037bb", "parentcaller": "0x004038ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 12871 }, { "timestamp": "2026-06-29 22:15:07,422", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ExitCode", "value": "0x00000000" } ], "repeated": 0, "id": 12872 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32.dll" }, { "name": "ModuleHandle", "value": "0x75130000" } ], "repeated": 0, "id": 12873 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernelbase.dll" }, { "name": "ModuleHandle", "value": "0x75a80000" } ], "repeated": 0, "id": 12874 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000778" } ], "repeated": 0, "id": 12875 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000078c" } ], "repeated": 0, "id": 12876 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00718000" }, { "name": "RegionSize", "value": "0x0001d000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12877 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000790" } ], "repeated": 0, "id": 12878 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 12879 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 12880 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 12881 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000724" } ], "repeated": 0, "id": 12882 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000071c" } ], "repeated": 0, "id": 12883 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" } ], "repeated": 0, "id": 12884 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075c" } ], "repeated": 0, "id": 12885 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05750000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 12886 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 12887 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 12888 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" } ], "repeated": 0, "id": 12889 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000604" } ], "repeated": 0, "id": 12890 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 12891 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005f4" } ], "repeated": 0, "id": 12892 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000600" } ], "repeated": 0, "id": 12893 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000614" } ], "repeated": 0, "id": 12894 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000618" } ], "repeated": 0, "id": 12895 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 12896 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000608" } ], "repeated": 0, "id": 12897 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" } ], "repeated": 0, "id": 12898 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 1, "id": 12899 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005ec" } ], "repeated": 0, "id": 12900 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e4" } ], "repeated": 0, "id": 12901 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e0" } ], "repeated": 0, "id": 12902 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005dc" } ], "repeated": 0, "id": 12903 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 12904 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a0" } ], "repeated": 0, "id": 12905 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d4" } ], "repeated": 0, "id": 12906 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d8" } ], "repeated": 0, "id": 12907 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 12908 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c4" } ], "repeated": 0, "id": 12909 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 12910 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 12911 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" } ], "repeated": 0, "id": 12912 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000590" } ], "repeated": 0, "id": 12913 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" } ], "repeated": 0, "id": 12914 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000594" } ], "repeated": 0, "id": 12915 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000598" } ], "repeated": 0, "id": 12916 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000059c" } ], "repeated": 0, "id": 12917 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 12918 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 12919 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" } ], "repeated": 0, "id": 12920 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000748" } ], "repeated": 0, "id": 12921 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" } ], "repeated": 0, "id": 12922 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000510" } ], "repeated": 0, "id": 12923 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 12924 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 12925 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 12926 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000554" } ], "repeated": 0, "id": 12927 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000558" } ], "repeated": 0, "id": 12928 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000728" } ], "repeated": 0, "id": 12929 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000072c" } ], "repeated": 0, "id": 12930 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" } ], "repeated": 0, "id": 12931 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000734" } ], "repeated": 0, "id": 12932 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000738" } ], "repeated": 0, "id": 12933 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 12934 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000514" } ], "repeated": 0, "id": 12935 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 12936 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 12937 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fc" } ], "repeated": 0, "id": 12938 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000500" } ], "repeated": 0, "id": 12939 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 12940 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 12941 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 12942 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e0" } ], "repeated": 0, "id": 12943 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f8" } ], "repeated": 0, "id": 12944 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f4" } ], "repeated": 0, "id": 12945 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e4" } ], "repeated": 0, "id": 12946 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e8" } ], "repeated": 0, "id": 12947 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 12948 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06e10000" }, { "name": "RegionSize", "value": "0x013ac000" } ], "repeated": 0, "id": 12949 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b8" } ], "repeated": 0, "id": 12950 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05720000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 12951 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05050000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 12952 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000434" } ], "repeated": 0, "id": 12953 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 12954 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 12955 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000334" } ], "repeated": 0, "id": 12956 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x023f0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 12957 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000300" } ], "repeated": 0, "id": 12958 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" } ], "repeated": 0, "id": 12959 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 12960 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 0, "id": 12961 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000348" } ], "repeated": 0, "id": 12962 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" } ], "repeated": 0, "id": 12963 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" } ], "repeated": 0, "id": 12964 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 12965 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 12966 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 12967 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c4" } ], "repeated": 0, "id": 12968 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 12969 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" } ], "repeated": 0, "id": 12970 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d0" } ], "repeated": 0, "id": 12971 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" } ], "repeated": 0, "id": 12972 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002dc" } ], "repeated": 0, "id": 12973 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 12974 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e4" } ], "repeated": 0, "id": 12975 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000714" } ], "repeated": 0, "id": 12976 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 12977 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 12978 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05000000" }, { "name": "RegionSize", "value": "0x00028000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 12979 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 12980 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 12981 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" } ], "repeated": 0, "id": 12982 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 12983 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0067f000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12984 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b0" } ], "repeated": 0, "id": 12985 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" } ], "repeated": 0, "id": 12986 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x023d0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 12987 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 12988 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05030000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 12989 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000374" } ], "repeated": 0, "id": 12990 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 12991 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000278" } ], "repeated": 0, "id": 12992 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 12993 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000284" } ], "repeated": 0, "id": 12994 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000028c" } ], "repeated": 0, "id": 12995 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000280" } ], "repeated": 0, "id": 12996 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 12997 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000020c" } ], "repeated": 0, "id": 12998 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" } ], "repeated": 0, "id": 12999 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000208" } ], "repeated": 0, "id": 13000 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" } ], "repeated": 0, "id": 13001 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001dc" } ], "repeated": 0, "id": 13002 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001e0" } ], "repeated": 0, "id": 13003 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d8" } ], "repeated": 0, "id": 13004 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001c0" } ], "repeated": 0, "id": 13005 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001c4" } ], "repeated": 0, "id": 13006 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001c8" } ], "repeated": 0, "id": 13007 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001cc" } ], "repeated": 0, "id": 13008 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d0" } ], "repeated": 0, "id": 13009 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d4" } ], "repeated": 0, "id": 13010 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x755b2000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 13011 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x755b2000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 13012 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001b8" } ], "repeated": 0, "id": 13013 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001bc" } ], "repeated": 0, "id": 13014 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001b4" } ], "repeated": 0, "id": 13015 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 13016 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 13017 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000198" } ], "repeated": 0, "id": 13018 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000019c" } ], "repeated": 0, "id": 13019 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a0" } ], "repeated": 0, "id": 13020 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a4" } ], "repeated": 0, "id": 13021 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a8" } ], "repeated": 0, "id": 13022 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001b0" } ], "repeated": 0, "id": 13023 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ac" } ], "repeated": 0, "id": 13024 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000178" } ], "repeated": 0, "id": 13025 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000017c" } ], "repeated": 0, "id": 13026 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000174" } ], "repeated": 0, "id": 13027 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000338" } ], "repeated": 0, "id": 13028 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 13029 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000170" } ], "repeated": 0, "id": 13030 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000168" } ], "repeated": 0, "id": 13031 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000016c" } ], "repeated": 0, "id": 13032 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000164" } ], "repeated": 0, "id": 13033 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000160" } ], "repeated": 0, "id": 13034 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000015c" } ], "repeated": 0, "id": 13035 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032e" } ], "repeated": 0, "id": 13036 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" } ], "repeated": 0, "id": 13037 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ac" } ], "repeated": 0, "id": 13038 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a8" } ], "repeated": 0, "id": 13039 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000148" } ], "repeated": 0, "id": 13040 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05710000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 13041 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000688" } ], "repeated": 0, "id": 13042 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000130" } ], "repeated": 0, "id": 13043 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000134" } ], "repeated": 0, "id": 13044 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000138" } ], "repeated": 0, "id": 13045 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000013c" } ], "repeated": 0, "id": 13046 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000140" } ], "repeated": 0, "id": 13047 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000144" } ], "repeated": 0, "id": 13048 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000150" } ], "repeated": 0, "id": 13049 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000014c" } ], "repeated": 0, "id": 13050 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 13051 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000043c" } ], "repeated": 0, "id": 13052 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000428" } ], "repeated": 0, "id": 13053 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ac" } ], "repeated": 0, "id": 13054 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000012c" } ], "repeated": 0, "id": 13055 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000124" } ], "repeated": 0, "id": 13056 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000128" } ], "repeated": 0, "id": 13057 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000110" } ], "repeated": 0, "id": 13058 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000010c" } ], "repeated": 0, "id": 13059 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000ec" } ], "repeated": 0, "id": 13060 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f0" } ], "repeated": 0, "id": 13061 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f4" } ], "repeated": 0, "id": 13062 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" } ], "repeated": 0, "id": 13063 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f4" } ], "repeated": 0, "id": 13064 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" } ], "repeated": 0, "id": 13065 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f4" } ], "repeated": 0, "id": 13066 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x058a0000" }, { "name": "RegionSize", "value": "0x01260000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 13067 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e8" } ], "repeated": 0, "id": 13068 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005f8" } ], "repeated": 0, "id": 13069 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00720000" }, { "name": "RegionSize", "value": "0x00015000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 13070 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006f2000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 13071 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0067f000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 13072 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 13073 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e8" } ], "repeated": 0, "id": 13074 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e4" } ], "repeated": 0, "id": 13075 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e0" } ], "repeated": 0, "id": 13076 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 13077 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" } ], "repeated": 0, "id": 13078 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000dc" } ], "repeated": 0, "id": 13079 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000009c" } ], "repeated": 0, "id": 13080 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000098" } ], "repeated": 0, "id": 13081 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000088" } ], "repeated": 0, "id": 13082 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000008c" } ], "repeated": 0, "id": 13083 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000094" } ], "repeated": 0, "id": 13084 }, { "timestamp": "2026-06-29 22:15:07,531", "thread_id": "2816", "caller": "0x004038f6", "parentcaller": "0x00000000", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "ExitCode", "value": "0x00000000" } ], "repeated": 0, "id": 13085 } ], "threads": [ "5028", "4444", "4564", "4156", "4296", "2816", "168", "1096", "348", "1140", "408", "5064" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe\" ", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x00400000", "MainExeSize": "0x00041000", "Bitness": "32-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 756, "process_name": "svchost.exe", "parent_id": 632, "module_path": "C:\\Windows\\System32\\svchost.exe", "first_seen": "2026-06-29 22:15:02,660", "calls": [ { "timestamp": "2026-06-29 22:15:10,019", "thread_id": "2856", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000880" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-06-29 22:15:11,113", "thread_id": "3624", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a84632e1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rsaenh.dll" }, { "name": "BaseAddress", "value": "0x7ff9a7170000" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-06-29 22:15:20,019", "thread_id": "3624", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000880" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 2 }, { "timestamp": "2026-06-29 22:15:40,004", "thread_id": "3624", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-06-29 22:15:50,019", "thread_id": "1176", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000880" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-06-29 22:16:00,004", "thread_id": "1176", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-06-29 22:16:10,019", "thread_id": "2856", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c4c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 2, "id": 6 }, { "timestamp": "2026-06-29 22:16:40,004", "thread_id": "2856", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000087c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 7 }, { "timestamp": "2026-06-29 22:16:50,863", "thread_id": "1176", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000820" }, { "name": "TargetProcessHandle", "value": "0x00000880" }, { "name": "TargetHandle", "value": "0x00000820" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-06-29 22:17:00,004", "thread_id": "2856", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000340" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 2, "id": 9 }, { "timestamp": "2026-06-29 22:17:30,019", "thread_id": "1176", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c4c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 2, "id": 10 }, { "timestamp": "2026-06-29 22:18:00,004", "thread_id": "844", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 11 } ], "threads": [ "2856", "3624", "1176", "844" ], "environ": { "UserName": "SYSTEM", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Windows\\TEMP\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff69d480000", "MainExeSize": "0x00011000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 2144, "process_name": "cmd.exe", "parent_id": 3236, "module_path": "C:\\Windows\\SysWOW64\\cmd.exe", "first_seen": "2026-06-29 22:15:07,493", "calls": [ { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "2492", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 0 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "2492", "caller": "0x76f72aa0", "parentcaller": "0x00000000", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000008" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "2492", "caller": "0x76f72d10", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000008" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "2492", "caller": "0x76f72c40", "parentcaller": "0x00000000", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "1000" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "4804", "caller": "0x76f51b4e", "parentcaller": "0x76f4daf1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000084" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 3, "id": 4 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "4636", "caller": "0x75b95cb2", "parentcaller": "0x75b95bc8", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000090" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xf0S\\x06\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xf0S\\x06\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "4636", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 6 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "4636", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "4804", "caller": "0x75b95cb2", "parentcaller": "0x75b95bc8", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000090" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\xa0\\xf1C\\x06\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfe\\xff\\xff\\xff\\xa8\\xf1C\\x06\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "4804", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "4804", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "2264", "caller": "0x75b95cb2", "parentcaller": "0x75b95bc8", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000090" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\xe8\\xf43\\x06\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfe\\xff\\xff\\xff\\xf0\\xf43\\x06\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "2264", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "2264", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "4824", "caller": "0x75b95cb2", "parentcaller": "0x75b95bc8", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000090" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\xb8\\xf6\\xd1\\x04\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfe\\xff\\xff\\xff\\xc0\\xf6\\xd1\\x04\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "4824", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x03163000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "4824", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 16 }, { "timestamp": "2026-06-29 22:15:08,258", "thread_id": "4824", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-06-29 22:15:09,477", "thread_id": "2492", "caller": "0x76f72aa0", "parentcaller": "0x00000000", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000004" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe" }, { "name": "FileInformationClass", "value": "13", "pretty_value": "FileDispositionInformation" }, { "name": "FileInformation", "value": "\\x01" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-06-29 22:15:09,477", "thread_id": "2492", "caller": "0x76f6b4b0", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000004" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-06-29 22:15:09,524", "thread_id": "2492", "caller": "0xffffffffff676980", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2492" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-06-29 22:15:09,977", "thread_id": "2492", "caller": "0xffffffffff676980", "parentcaller": "0x00000000", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-06-29 22:15:10,118", "thread_id": "2492", "caller": "0xffffffffff676980", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000238" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-06-29 22:15:10,165", "thread_id": "2492", "caller": "0xffffffffff676980", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-06-29 22:15:10,305", "thread_id": "5092", "caller": "0x76f90a99", "parentcaller": "0x7514fa29", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000234" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-06-29 22:15:10,305", "thread_id": "5092", "caller": "0x76f6b4e6", "parentcaller": "0x76f3603c", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5092" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-06-29 22:15:10,305", "thread_id": "5092", "caller": "0x76f6b509", "parentcaller": "0x76f3603c", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-06-29 22:15:10,305", "thread_id": "1284", "caller": "0x76f90a99", "parentcaller": "0x7514fa29", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000238" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-06-29 22:15:10,305", "thread_id": "1284", "caller": "0x76f6b4e6", "parentcaller": "0x76f3603c", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1284" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-06-29 22:15:10,305", "thread_id": "1284", "caller": "0x76f6b509", "parentcaller": "0x76f3603c", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-06-29 22:15:10,336", "thread_id": "2492", "caller": "0xffffffffff676980", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-06-29 22:15:10,383", "thread_id": "2492", "caller": "0xffffffffff676980", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000238" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-06-29 22:15:10,383", "thread_id": "2492", "caller": "0xffffffffff676980", "parentcaller": "0x00000000", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0xffffffff" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 32 } ], "threads": [ "2492", "4804", "4636", "2264", "4824", "5092", "1284" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x00010000", "MainExeSize": "0x0005a000", "Bitness": "32-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } } ], "anomaly": [], "processtree": [ { "name": "invoice_231836298371.exe", "pid": 3236, "parent_id": 2892, "module_path": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe", "children": [ { "name": "cmd.exe", "pid": 2144, "parent_id": 3236, "module_path": "C:\\Windows\\SysWOW64\\cmd.exe", "children": [], "threads": [ "2492", "4804", "4636", "2264", "4824", "5092", "1284" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x00010000", "MainExeSize": "0x0005a000", "Bitness": "32-bit" } } ], "threads": [ "5028", "4444", "4564", "4156", "4296", "2816", "168", "1096", "348", "1140", "408", "5064" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe\" ", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x00400000", "MainExeSize": "0x00041000", "Bitness": "32-bit" } }, { "name": "svchost.exe", "pid": 756, "parent_id": 632, "module_path": "C:\\Windows\\System32\\svchost.exe", "children": [], "threads": [ "2856", "3624", "1176", "844" ], "environ": { "UserName": "SYSTEM", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Windows\\TEMP\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff69d480000", "MainExeSize": "0x00011000", "Bitness": "64-bit" } } ], "summary": { "files": [ "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Windows\\System32\\cryptsp.dll", "C:\\Windows", "C:\\Users\\Rajesh\\AppData\\Local\\Google", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\GoogleUpdate.exe", "\\Device\\HarddiskVolume2\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\@", "\\Device\\HarddiskVolume2\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\U", "\\Device\\HarddiskVolume2\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\L", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\msimg32.dll", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe", "C:\\Windows\\System32\\kernel.appcore.dll", "C:\\Windows\\System32\\uxtheme.dll", "C:\\Users\\Rajesh\\AppData\\Local\\Temp", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\PROPSYS.dll", "C:\\Windows\\System32\\propsys.dll", "C:\\Windows\\SysWOW64\\propsys.dll", "C:\\Windows\\sysnative\\propsys.dll", "C:\\Windows\\System32\\en-US\\PROPSYS.dll.mui", "C:\\Windows\\sysnative\\en-US\\PROPSYS.dll.mui", "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\Caches", "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db", "C:\\Users\\Rajesh\\Desktop\\desktop.ini", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\profapi.dll", "C:\\Windows\\System32\\profapi.dll", "C:\\Users\\Rajesh\\Documents\\desktop.ini", "C:\\Users\\Rajesh\\Music\\desktop.ini", "C:\\Users\\Rajesh\\Pictures\\desktop.ini", "C:\\Users\\Rajesh\\Videos\\desktop.ini", "C:\\Users\\Rajesh\\Downloads\\desktop.ini", "C:\\Users\\Rajesh", "C:\\Users\\Rajesh\\Searches\\desktop.ini", "C:\\Users\\Rajesh\\Contacts\\desktop.ini", "C:\\Users\\Rajesh\\Favorites\\desktop.ini", "C:\\Users\\Rajesh\\Links\\desktop.ini", "C:\\Users\\Rajesh\\Saved Games\\desktop.ini", "C:\\", "C:\\Windows\\System32\\cfgmgr32.dll", "C:\\Users\\desktop.ini", "\\Device\\DeviceApi\\CMApi", "\\??\\MountPointManager", "C:\\Windows\\System32\\en-US\\twext.dll.mui", "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll", "C:\\Windows\\System32\\policymanager.dll", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\msvcp110_win.dll", "C:\\Windows\\System32\\msvcp110_win.dll", "C:\\Users", "C:\\Users\\Rajesh\\AppData", "C:\\Users\\Rajesh\\AppData\\Local", "C:\\Users\\Rajesh\\Desktop", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", "C:\\Users\\Rajesh\\AppData\\Roaming", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\desktop.ini", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini", "C:\\Windows\\System32\\iertutil.dll", "C:\\Windows\\system32", "C:\\Windows\\System32\\srvcli.dll", "\\??\\PIPE\\srvsvc", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\cscapi.dll", "C:\\Windows\\System32\\cscapi.dll", "C:\\Windows\\System32\\netutils.dll", "C:\\Windows\\System32\\en-US\\ntshrui.dll.mui", "C:\\Windows\\sysnative\\en-US\\ntshrui.dll.mui", "C:\\Windows\\System32\\twinapi.appcore.dll", "C:\\Windows\\Fonts\\staticcache.dat", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TextShaping.dll", "C:\\Windows\\System32\\TextShaping.dll", "C:\\Program Files\\7-Zip\\Lang\\en.txt", "C:\\Program Files\\SystemResources\\7-zip32.dll.mun", "C:\\Windows\\WinSxS\\FileMaps\\users_rajesh_appdata_local_temp_9023b969dd9e9f6f.cdf-ms", "C:\\Windows\\System32\\setupapi.dll", "C:\\Windows\\System32\\en-US\\acppage.dll.mui", "C:\\Windows\\System32\\shell32.dll", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe.Local\\", "C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\imageres.dll", "C:\\Windows\\System32\\imageres.dll", "C:\\Windows\\SystemResources\\imageres.dll.mun", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\edputil.dll", "C:\\Windows\\System32\\edputil.dll", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\urlmon.dll", "C:\\Windows\\System32\\urlmon.dll", "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\INetCache", "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\INetCookies", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe:Zone.Identifier", "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\MPR.dll", "C:\\Windows\\System32\\mpr.dll", "C:\\Windows\\System32\\pcacli.dll", "\\??\\PhysicalDrive0" ], "read_files": [], "write_files": [ "C:\\Users\\Rajesh\\AppData\\Local\\Google", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}", "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\GoogleUpdate.exe", "\\Device\\HarddiskVolume2\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\@", "\\Device\\HarddiskVolume2\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\U", "\\Device\\HarddiskVolume2\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\L", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\msimg32.dll", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe", "\\??\\PIPE\\srvsvc" ], "delete_files": [ "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe" ], "keys": [ "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Google Update\\x00\\x202e\\x2764\\x695c", "HKEY_CURRENT_USER", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\UseFindFirstFileEnumeration", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\UseFindFirstFileEnumeration", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\invoice_231836298371.exe", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\ValidateRegItems", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\MonitorRegistry", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups", "HKEY_CURRENT_USER\\Software\\Classes", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\FolderValueFlags", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\ValidateRegItems", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\MonitorRegistry", "HKEY_CURRENT_USER\\Software\\Classes\\Drive\\shellex\\FolderExtensions", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Drive\\shellex\\FolderExtensions", "HKEY_CURRENT_USER\\Software\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap\\.exe", "HKEY_CURRENT_USER\\Software\\Classes\\.exe", "HKEY_LOCAL_MACHINE\\Software\\Classes\\.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowStatusBar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\exefile", "HKEY_LOCAL_MACHINE\\Software\\Classes\\exefile", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\CurVer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\CurVer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\ShellEx\\IconHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\ShellEx\\IconHandler", "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe", "HKEY_LOCAL_MACHINE\\Software\\Classes\\SystemFileAssociations\\.exe", "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\IconHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\IconHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\DocObject", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\DocObject", "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Clsid", "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\AlwaysShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\AlwaysShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\NeverShowExt", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{75847177-F077-4171-BD2C-A6BB2164FBD0}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings", "HKEY_CURRENT_USER\\Software\\Classes\\Directory", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\ShellEx\\IconHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\IconHandler", "HKEY_CURRENT_USER\\Software\\Classes\\Folder", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Folder", "HKEY_CURRENT_USER\\Software\\Classes\\Folder\\ShellEx\\IconHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\IconHandler", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects", "HKEY_LOCAL_MACHINE\\Software\\Classes\\AllFilesystemObjects", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\ShellEx\\IconHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\IconHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject", "HKEY_CURRENT_USER\\Software\\Classes\\Folder\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Classes\\Folder\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\Clsid", "HKEY_CURRENT_USER\\Software\\Classes\\Folder\\Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\Clsid", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\AlwaysShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F42EE2D3-909F-4907-8871-4C22FC0BF756}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{F42EE2D3-909F-4907-8871-4C22FC0BF756}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PropertyBag", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A0C69A99-21C8-4671-8703-7934162FCF1D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{A0C69A99-21C8-4671-8703-7934162FCF1D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0DDD015D-B06C-45D5-8C4C-F59713854639}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{0DDD015D-B06C-45D5-8C4C-F59713854639}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\PropertyBag", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\CallForAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\FolderValueFlags", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\ValidateRegItems", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\MonitorRegistry", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders\\StorageDelegateSuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\PreventItemCreationInUsersFilesFolder", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\PreventItemCreationInUsersFilesFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders\\StorageDelegate", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\InProcServer32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\CLSID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32\\LoadWithoutCOM", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\DescriptionID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\HelpTopic", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\AllowChildAliasRegistration", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\RecursiveSearch", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\TargetKnownFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\PropertyBag", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WCOSEnumerationBaselineAllowedlist", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AllowedEnumeration", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4FFE-A368-0DE96E47012E}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48DAF80B-E6CF-4F4E-B800-0E69D84EE384}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4BD9-94B0-29233477B6C3}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PropertyBag\\ThisPCPolicy", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\fdeploy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4AF4-A7EB-4E7A138D8174}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4C59-B6A2-414586476AEA}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4A90-BBA9-27CBC0C5389A}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4900540-2379-4C75-844B-64E6FAF8716B}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\PropertyBag\\ThisPCPolicy", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{56784854-C6CB-462B-8169-88E350ACB882}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4E48-96A1-3F6217F21990}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PropertyBag\\BaseFolderId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464B-ABE8-61C8648D939B}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Favorites", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PropertyBag\\BaseFolderId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B250C668-F57D-4EE1-A63C-290EE7D1AA1F}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4ADD-B60D-588C2DBA842D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482AF6C-08F1-4C34-8C90-E17EC98B1E17}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{BCB5256F-79F6-4CEE-B725-DC34E402FD46}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE61D971-5EBC-4F02-A3A9-6C82895E5C04}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7B0DB17D-9CD2-4A93-9733-46CC89022E7C}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7BEDE81-DF94-4682-A7D8-57A52620B86F}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4EAB-965A-69829D1FB59F}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1E87508D-89C2-42F0-8A7E-645A0F50CA58}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{859EAD94-2E85-48AD-A71A-0969CB56A6CD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PropertyBag\\BaseFolderId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A305CE99-F527-492B-8B1A-7E76FA98D6E4}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4F30-9B45-F670235F79C0}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PropertyBag\\BaseFolderId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4E80-94BC-9912D7504104}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4F11-9E78-5F7800F2E772}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49A9-B74D-02885A5DC765}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4B87-BFD0-4CD0DFB19B39}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DF7266AC-9274-4867-8D55-3BD661DE872D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905E63B6-C1BF-494E-B29C-65B732D3D21A}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337D1-B8CA-4121-A639-6D472D16972A}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PropertyBag\\BaseFolderId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{54EED2E0-E7CA-4FDB-9148-0F4247291CFA}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{54EED2E0-E7CA-4fdb-9148-0F4247291CFA}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5cd7aee2-2219-4a67-b85d-6c9ce15660cb}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B94237E7-57AC-4347-9151-B08C6C32D1F7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B94237E7-57AC-4347-9151-B08C6C32D1F7}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A63293E8-664E-48DB-A079-DF759E0509F7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A63293E8-664E-48DB-A079-DF759E0509F7}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5CE4A5E9-E4EB-479D-B89F-130C02886155}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5CE4A5E9-E4EB-479D-B89F-130C02886155}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A74AEB-AEB4-465C-A014-D097EE346D63}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A74AEB-AEB4-465C-A014-D097EE346D63}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{43668BF8-C14E-49B2-97C9-747784D784B7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{43668BF8-C14E-49B2-97C9-747784D784B7}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{915221FB-9EFE-4BDA-8FD7-F78DCA774F87}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{915221FB-9EFE-4bda-8FD7-F78DCA774F87}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7E636BFE-DFA9-4D5E-B456-D7B39851D8A9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7E636BFE-DFA9-4D5E-B456-D7B39851D8A9}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4C5C32FF-BB9D-43b0-B5B4-2D72E54EAAA4}\\PropertyBag", "HKEY_CURRENT_USER\\Software\\Classes\\DelegateFolders", "HKEY_LOCAL_MACHINE\\Software\\Classes\\DelegateFolders", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\UsersFiles\\NameSpace", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\UsersFiles\\NameSpace\\DelegateFolders", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\ShellFolder", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\ShellEx\\DataHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\ShellEx\\DataHandler", "HKEY_CURRENT_USER\\Software\\Classes\\.exe\\ShellEx\\DataHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\ShellEx\\DataHandler", "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\DataHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\DataHandler", "HKEY_CURRENT_USER\\Software\\Classes\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\*", "HKEY_CURRENT_USER\\Software\\Classes\\*\\ShellEx\\DataHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\ShellEx\\DataHandler", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\ShellEx\\DataHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\DataHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\", "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Kind.program", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Kind.program\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\Compatibility", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\PintoStartScreen", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}", "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\shellex\\ContextMenuHandlers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\shellex\\ContextMenuHandlers", "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program\\shellex\\ContextMenuHandlers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Kind.program\\shellex\\ContextMenuHandlers", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\7-Zip", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{23170F69-40C1-278A-1000-000100020000}", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\ModernSharing", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\Sharing", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\WorkFolders", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\CopyAsPathMenu", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\SendTo", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{596AB062-B4D2-4215-9F74-E9109B0A8153}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\shellex\\NoAddToRecent", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\shellex\\NoAddToRecent", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\Instance", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{596AB062-B4D2-4215-9F74-E9109B0A8153}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{596ab062-b4d2-4215-9f74-e9109b0a8153}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{596AB062-B4D2-4215-9F74-E9109B0A8153}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\PreviousVersions", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\PreviousVersions", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SlowContextMenuEntries", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\shellex\\NoAddToRecent", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\shellex\\NoAddToRecent", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\Instance", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\shellex\\NoAddToRecent", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\shellex\\NoAddToRecent", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "HKEY_CURRENT_USER\\Software\\Classes\\.exe\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "HKEY_CURRENT_USER\\Software\\Classes\\*\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat", "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\invoice_231836298371.exe", "HKEY_LOCAL_MACHINE\\Software\\Classes\\AppID\\invoice_231836298371.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{7BA4C740-9E81-11CF-99D3-00AA004AE837}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}\\shellex\\NoAddToRecent", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}\\shellex\\NoAddToRecent", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{f3d06e7c-1e45-4a26-847e-f9fcdee59be0}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}\\shellex\\NoAddToRecent", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}\\shellex\\NoAddToRecent", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsRuntime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\Diagnosis", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CustomAttributes", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\Elevation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\Elevation", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{89BC3F49-F8D9-5103-BA13-DE497E609167}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{89BC3F49-F8D9-5103-BA13-DE497E609167}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\SystemPropertyHandlers", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.exe", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\OverrideFileSystemProperties", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\OverrideFileSystemProperties", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}", "HKEY_CURRENT_USER\\Software\\Classes\\ExplorerCLSIDFlags\\{66742402-F9B9-11D1-A202-0000F81FEDEE}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\ExplorerCLSIDFlags\\{66742402-F9B9-11D1-A202-0000F81FEDEE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{66742402-F9B9-11D1-A202-0000F81FEDEE}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\Instance", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{66742402-F9B9-11D1-A202-0000F81FEDEE}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A07034FD-6CAA-4954-AC3F-97A27216F98A}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A07034FD-6CAA-4954-AC3F-97A27216F98A}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{a07034fd-6caa-4954-ac3f-97a27216f98a}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\Applications\\InstallFlashPlayer.exe", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Applications\\InstallFlashPlayer.exe", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\shellex\\NoAddToRecent", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\shellex\\NoAddToRecent", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{90AA3A4E-1CBA-4233-B8BB-535773D48449}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\QfePolicyDefinitions\\{A48F1A32-A340-11D1-BC6B-00A0C90312E1}\\{99431419-3869-4970-9AA5-1C5EA306DD79}", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\Start\\NoPinningToTaskbar", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\Start", "HKEY_CURRENT_USER\\", "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile", "HKEY_CURRENT_USER\\Control Panel\\International\\Geo", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Taskband", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\ShellFolder", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\ShellFolder", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\ShellFolder", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\ShellFolder", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\ShellFolder", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\Instance", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1F3427C8-5C10-4210-AA03-2EE45287D668}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\InitPropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{1f3427c8-5c10-4210-aa03-2ee45287d668}\\Instance\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\shellex\\NoAddToRecent", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\shellex\\NoAddToRecent", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\Instance", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\shellex\\NoAddToRecent", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\shellex\\NoAddToRecent", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\Instance", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{02DF6DB6-9405-4812-B3F6-500E8615B7AF}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{02DF6DB6-9405-4812-B3F6-500E8615B7AF}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{02df6db6-9405-4812-b3f6-500e8615b7af}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\shell\\Windows.Share", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\shell\\Windows.Share\\", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\Instance", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{99D353BC-C813-41EC-8F28-EAE61E702E57}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{99D353BC-C813-41ec-8F28-EAE61E702E57}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{99d353bc-c813-41ec-8f28-eae61e702e57}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{99D353BC-C813-41EC-8F28-EAE61E702E57}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Security", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager\\", "HKEY_CURRENT_USER\\Software\\Classes\\ShareCommands\\shell", "HKEY_LOCAL_MACHINE\\Software\\Classes\\ShareCommands\\shell", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\Instance", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{6311429E-2F1A-4777-880F-C7289FD10169}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{6311429E-2F1A-4777-880F-C7289FD10169}", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Sharing", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}\\shellex\\NoAddToRecent", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}\\shellex\\NoAddToRecent", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{A470F8CF-A1E8-4f65-8335-227475AA5C46}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A470F8CF-A1E8-4F65-8335-227475AA5C46}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}\\shellex\\NoAddToRecent", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}\\shellex\\NoAddToRecent", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{09799AFB-AD67-11d1-ABCD-00C04FC30936}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{09799AFB-AD67-11D1-ABCD-00C04FC30936}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\shellex\\NoAddToRecent", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\shellex\\NoAddToRecent", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\Instance", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\shell\\Windows.ModernShare", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\shell\\Windows.ModernShare\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.DataTransfer.DataTransferManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.DataTransfer.DataTransferManager\\CustomAttributes", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Accent", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Personalization", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe MDL2 Assets", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\shellex\\NoAddToRecent", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\shellex\\NoAddToRecent", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\Instance", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{23170f69-40c1-278a-1000-000100020000}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\IdentityStore\\Providers\\{D7F9888F-E3FC-49B0-9EA6-A85B5F392A4F}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{23170F69-40C1-278A-1000-000100020000}", "HKEY_CURRENT_USER\\Software\\7-Zip", "HKEY_CURRENT_USER\\SOFTWARE\\7-Zip\\Lang", "HKEY_CURRENT_USER\\Software\\7-Zip\\Options", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\shellex\\NoAddToRecent", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\shellex\\NoAddToRecent", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\Instance", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{470C0EBD-5D73-4D58-9CED-E91E22E23282}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{470C0EBD-5D73-4d58-9CED-E91E22E23282}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{470c0ebd-5d73-4d58-9ced-e91e22e23282}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\shellex\\NoAddToRecent", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\shellex\\NoAddToRecent", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\Instance", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\InProcServer32", "HKEY_USERS\\S-1-5-18\\Software\\Microsoft\\IdentityCRL\\StoredIdentities", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}\\InprocServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1d27f844-3a1f-4410-85ac-14651078412d}\\InProcServer32", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\HomeGroupProvider\\ServiceData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{1D27F844-3A1F-4410-85AC-14651078412D}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1D27F844-3A1F-4410-85AC-14651078412D}", "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{21B22460-3AEA-1069-A2DC-08002B30309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\CustomAttributes", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{D81E96F1-A89C-417E-9335-59531026309D}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{D81E96F1-A89C-417E-9335-59531026309D}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\CustomAttributes", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{B94B62A2-4012-4B7E-A395-F21CC665FD12}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{B94B62A2-4012-4B7E-A395-F21CC665FD12}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8DA928C9-4266-55D4-947A-48BE47300831}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{8DA928C9-4266-55D4-947A-48BE47300831}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{8da928c9-4266-55d4-947a-48be47300831}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{8da928c9-4266-55d4-947a-48be47300831}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{3BED20A5-6DEE-4297-B976-3B30DF69A7AA}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{3BED20A5-6DEE-4297-B976-3B30DF69A7AA}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{6CB10ED7-4BCA-5561-B2E1-40E1197C1B0C}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{6CB10ED7-4BCA-5561-B2E1-40E1197C1B0C}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{06075BC6-9C03-45CD-A980-DB688D7407AD}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{06075BC6-9C03-45CD-A980-DB688D7407AD}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{06075BC6-9C03-45CD-A980-DB688D7407AD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{06075BC6-9C03-45CD-A980-DB688D7407AD}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Shell", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Shell", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runasuser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runasuser\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open\\command", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\command", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\open\\DropTarget", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\DropTarget", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\command", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\DropTarget", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\runas\\DropTarget", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\AssemblyStorageRoots", "HKEY_CURRENT_USER\\Software\\Classes\\SystemFileAssociations\\.exe\\Shell", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\Shell", "HKEY_CURRENT_USER\\Software\\Classes\\Kind.program\\Shell", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Kind.program\\Shell", "HKEY_CURRENT_USER\\Software\\Classes\\*\\Shell", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\Shell", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\open", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\open", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\removeproperties", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\removeproperties\\", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas\\", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas\\command", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas\\command", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\runas\\DropTarget", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\runas\\DropTarget", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\Shell", "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\Shell", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\command", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\command", "HKEY_CURRENT_USER\\Software\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\DropTarget", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\shell\\UpdateEncryptionSettingsWork\\DropTarget", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\Shell", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\Shell", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\open", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\open", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\LaunchWorkfoldersControl\\", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\shell\\OfflineFilesLaunchSyncCenter\\", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1649D1CF-DEAF-4A68-ABE8-5C9F68572FD1}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1649D1CF-DEAF-4A68-ABE8-5C9F68572FD1}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{1649d1cf-deaf-4a68-abe8-5c9f68572fd1}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Application", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Application", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_URI_DISABLECACHE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Security", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Security", "HKEY_LOCAL_MACHINE\\System\\Setup", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_PROTOCOL_LOCKDOWN", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\Progid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Progid", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\ProgIDs\\exefile", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\InstallFlashPlayer.exe", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\InstallFlashPlayer.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\CustomAttributes", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer32", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer", "HKEY_CURRENT_USER\\Software\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\Elevation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\Elevation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\CustomAttributes", "HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\control\\NetworkProvider\\HwOrder", "HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\control\\NetworkProvider\\ProviderOrder", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\AppCompat", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppCompat", "HKEY_CURRENT_USER\\Software\\Classes\\Applications\\%1.exe", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Applications\\%1.exe", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" ], "read_keys": [ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\UseFindFirstFileEnumeration", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\UseFindFirstFileEnumeration", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\ValidateRegItems", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\MonitorRegistry", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\FolderValueFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\ValidateRegItems", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\MonitorRegistry", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap\\.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowStatusBar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\AlwaysShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\AlwaysShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\AlwaysShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{F42EE2D3-909F-4907-8871-4C22FC0BF756}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{A0C69A99-21C8-4671-8703-7934162FCF1D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{0DDD015D-B06C-45D5-8C4C-F59713854639}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\CallForAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\FolderValueFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\ValidateRegItems", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\MonitorRegistry", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders\\StorageDelegateSuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\PreventItemCreationInUsersFilesFolder", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\PreventItemCreationInUsersFilesFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders\\StorageDelegate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\CLSID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32\\LoadWithoutCOM", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\DescriptionID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\HelpTopic", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\AllowChildAliasRegistration", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\RecursiveSearch", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\TargetKnownFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PropertyBag\\ThisPCPolicy", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\PropertyBag\\ThisPCPolicy", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{56784854-C6CB-462B-8169-88E350ACB882}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PropertyBag\\BaseFolderId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Favorites", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PropertyBag\\BaseFolderId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PropertyBag\\BaseFolderId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PropertyBag\\BaseFolderId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PropertyBag\\ThisPCPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PropertyBag\\BaseFolderId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Attributes", "HKEY_CURRENT_USER\\SOFTWARE\\7-Zip\\Lang" ], "write_keys": [ "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Google Update\\x00\\x202e\\x2764\\x695c", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SlowContextMenuEntries", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect" ], "delete_keys": [], "executed_commands": [ "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe ", "\"C:\\Windows\\system32\\cmd.exe\"" ], "resolved_apis": [], "mutexes": [ "Local\\SM0:3236:168:WilStaging_02", "Local\\SM0:3236:64:WilError_03", "Global\\SyncRootManager", "Local\\SessionImmersiveColorMutex", "Local\\ZonesCacheCounterMutex", "Local\\ZonesLockedCacheCounterMutex" ], "created_services": [], "started_services": [] }, "enhanced": [ { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:14:57,093", "eid": 1, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:14:57,093", "eid": 2, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:14:57,093", "eid": 3, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "content": "kernel32.dll" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:14:57,093", "eid": 4, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x75130000" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:14:57,093", "eid": 5, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:14:57,093", "eid": 6, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:14:59,750", "eid": 7, "data": { "file": "ntdll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,000", "eid": 8, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,000", "eid": 9, "data": { "file": "KERNEL32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,000", "eid": 10, "data": { "file": "WS2_32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,000", "eid": 11, "data": { "file": "ADVAPI32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,000", "eid": 12, "data": { "file": "SHELL32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,062", "eid": 13, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,062", "eid": 14, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,062", "eid": 15, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,093", "eid": 16, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData", "content": "%USERPROFILE%\\AppData\\Local" } }, { "event": "write", "object": "file", "timestamp": "2026-06-29 22:15:01,109", "eid": 17, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\GoogleUpdate.exe" } }, { "event": "write", "object": "file", "timestamp": "2026-06-29 22:15:01,125", "eid": 18, "data": { "file": "\\Device\\HarddiskVolume2\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\@" } }, { "event": "write", "object": "file", "timestamp": "2026-06-29 22:15:01,156", "eid": 19, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\msimg32.dll" } }, { "event": "write", "object": "file", "timestamp": "2026-06-29 22:15:01,172", "eid": 20, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,187", "eid": 21, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,187", "eid": 22, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,187", "eid": 23, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,187", "eid": 24, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,203", "eid": 25, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,203", "eid": 26, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,203", "eid": 27, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,203", "eid": 28, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,203", "eid": 29, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\UseFindFirstFileEnumeration", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,203", "eid": 30, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\UseFindFirstFileEnumeration", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,218", "eid": 31, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,218", "eid": 32, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,218", "eid": 33, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,218", "eid": 34, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,218", "eid": 35, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 36, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 37, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 38, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 39, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 40, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 41, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 42, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 43, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 44, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\ValidateRegItems", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 45, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\MonitorRegistry", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 46, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 47, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 48, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 49, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 50, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 51, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\FolderValueFlags", "content": "1581568" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 52, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 53, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\windows.storage.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 54, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\ValidateRegItems", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 55, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\MonitorRegistry", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 56, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask", "content": "32" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 57, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 58, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,234", "eid": 59, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 60, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap\\.exe", "content": "program" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,234", "eid": 61, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type", "content": "application/x-msdownload" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,250", "eid": 62, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 63, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 64, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 65, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 66, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState", "content": "$\\x00\\x00\\x004(\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 67, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 68, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 69, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 70, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 71, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 72, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 73, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 74, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 75, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 76, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 77, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 78, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 79, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 80, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 81, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,250", "eid": 82, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 83, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 84, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 85, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 86, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 87, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 88, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 89, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 90, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowStatusBar", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 91, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\(Default)", "content": "exefile" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 92, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\DocObject", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 93, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\DocObject", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 94, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\BrowseInPlace", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 95, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 96, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type", "content": "application/x-msdownload" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 97, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\IsShortcut", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 98, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\IsShortcut", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 99, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\AlwaysShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 100, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\AlwaysShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 101, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\NeverShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 102, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\NeverShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 103, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 104, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Name", "content": "Desktop" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 105, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 106, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 107, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\RelativePath", "content": "Desktop" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 108, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 109, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 110, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21769" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 111, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-183" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 112, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 113, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 114, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 115, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 116, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Roamable", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 117, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 118, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 119, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PublishExpandedPath", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 120, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 121, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 122, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 123, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,265", "eid": 124, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop", "content": "%USERPROFILE%\\Desktop" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,281", "eid": 125, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\windows.storage.dll" } }, { "event": "create", "object": "dir", "timestamp": "2026-06-29 22:15:01,281", "eid": 126, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\Caches" } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 22:15:01,281", "eid": 127, "data": { "file": "C:\\Users\\Rajesh\\Desktop\\desktop.ini" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,281", "eid": 128, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,281", "eid": 129, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 130, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 131, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 132, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 133, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 134, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\IsShortcut", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 135, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 136, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 137, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\AlwaysShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 138, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\NeverShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 139, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 140, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 141, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 142, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Name", "content": "Libraries" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 143, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParentFolder", "content": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 144, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 145, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\RelativePath", "content": "Microsoft\\Windows\\Libraries" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 146, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 147, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 148, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 149, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 150, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 151, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 152, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 153, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 154, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 155, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 156, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 157, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PublishExpandedPath", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 158, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 159, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 160, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 161, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 162, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 163, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 164, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Name", "content": "AppData" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 165, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 166, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 167, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\RelativePath", "content": "AppData\\Roaming" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 168, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 169, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 170, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 171, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 172, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 173, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 174, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 175, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 176, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 177, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 178, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 179, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 180, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 181, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 182, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 183, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,297", "eid": 184, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData", "content": "%USERPROFILE%\\AppData\\Roaming" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 185, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 186, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Name", "content": "Local Documents" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 187, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 188, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 189, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\RelativePath", "content": "Documents" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 190, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 191, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\ParsingName", "content": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{d3162b92-9365-467a-956b-92703aca08af}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 192, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 193, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21770" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 194, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-112" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 195, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 196, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 197, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 198, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 199, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 200, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 201, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 202, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 203, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 204, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 205, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 206, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 207, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{F42EE2D3-909F-4907-8871-4C22FC0BF756}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 208, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 209, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name", "content": "Profile" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 210, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 211, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 212, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 213, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 214, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 215, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 216, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 217, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 218, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 219, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 220, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 221, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 222, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 223, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 224, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 225, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 226, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 227, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,312", "eid": 228, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,328", "eid": 229, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,328", "eid": 230, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,328", "eid": 231, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,343", "eid": 232, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,343", "eid": 233, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": "C:\\Users\\Rajesh" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,343", "eid": 234, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\windows.storage.dll" } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 22:15:01,359", "eid": 235, "data": { "file": "C:\\Users\\Rajesh\\Documents\\desktop.ini" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,359", "eid": 236, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,359", "eid": 237, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Name", "content": "Local Music" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,359", "eid": 238, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,359", "eid": 239, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,359", "eid": 240, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\RelativePath", "content": "Music" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,359", "eid": 241, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,359", "eid": 242, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\ParsingName", "content": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,359", "eid": 243, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\InfoTip", "content": "@%SystemRoot%\\system32\\shell32.dll,-12689" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,359", "eid": 244, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21790" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,359", "eid": 245, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-108" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,359", "eid": 246, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,375", "eid": 247, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,375", "eid": 248, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,375", "eid": 249, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,375", "eid": 250, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,375", "eid": 251, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,375", "eid": 252, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,375", "eid": 253, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,375", "eid": 254, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,375", "eid": 255, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,375", "eid": 256, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,375", "eid": 257, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,375", "eid": 258, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{A0C69A99-21C8-4671-8703-7934162FCF1D}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,375", "eid": 259, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,375", "eid": 260, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": "C:\\Users\\Rajesh" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,375", "eid": 261, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\windows.storage.dll" } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 22:15:01,390", "eid": 262, "data": { "file": "C:\\Users\\Rajesh\\Music\\desktop.ini" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,390", "eid": 263, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,390", "eid": 264, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Name", "content": "Local Pictures" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,390", "eid": 265, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,390", "eid": 266, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,406", "eid": 267, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\RelativePath", "content": "Pictures" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,406", "eid": 268, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,406", "eid": 269, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\ParsingName", "content": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{24ad3ad4-a569-4530-98e1-ab02f9417aa8}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,406", "eid": 270, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\InfoTip", "content": "@%SystemRoot%\\system32\\shell32.dll,-12688" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,406", "eid": 271, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21779" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,406", "eid": 272, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-113" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,406", "eid": 273, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,406", "eid": 274, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,406", "eid": 275, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,406", "eid": 276, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,406", "eid": 277, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,406", "eid": 278, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,406", "eid": 279, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,406", "eid": 280, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,406", "eid": 281, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,422", "eid": 282, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,422", "eid": 283, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,422", "eid": 284, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,422", "eid": 285, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{0DDD015D-B06C-45D5-8C4C-F59713854639}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,422", "eid": 286, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,422", "eid": 287, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": "C:\\Users\\Rajesh" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,422", "eid": 288, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\windows.storage.dll" } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 22:15:01,437", "eid": 289, "data": { "file": "C:\\Users\\Rajesh\\Pictures\\desktop.ini" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,437", "eid": 290, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,453", "eid": 291, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Name", "content": "Local Videos" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,453", "eid": 292, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,453", "eid": 293, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,453", "eid": 294, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\RelativePath", "content": "Videos" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,453", "eid": 295, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,453", "eid": 296, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\ParsingName", "content": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,453", "eid": 297, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\InfoTip", "content": "@%SystemRoot%\\system32\\shell32.dll,-12690" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,453", "eid": 298, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21791" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,453", "eid": 299, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-189" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,453", "eid": 300, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,453", "eid": 301, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,453", "eid": 302, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,453", "eid": 303, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,453", "eid": 304, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,468", "eid": 305, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,468", "eid": 306, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,468", "eid": 307, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,468", "eid": 308, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,468", "eid": 309, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,468", "eid": 310, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,468", "eid": 311, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,468", "eid": 312, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,468", "eid": 313, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,468", "eid": 314, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": "C:\\Users\\Rajesh" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,468", "eid": 315, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\windows.storage.dll" } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 22:15:01,484", "eid": 316, "data": { "file": "C:\\Users\\Rajesh\\Videos\\desktop.ini" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 317, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 318, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Name", "content": "Local Downloads" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 319, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 320, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 321, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\RelativePath", "content": "Downloads" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 322, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 323, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\ParsingName", "content": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{088e3905-0323-4b02-9826-5d99428e115f}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 324, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 325, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21798" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 326, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-184" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 327, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 328, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 329, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 330, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 331, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 332, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 333, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 334, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 335, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 336, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 337, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 338, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 339, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 340, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 341, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": "C:\\Users\\Rajesh" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,484", "eid": 342, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{75847177-f077-4171-bd2c-a6bb2164fbd0}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\windows.storage.dll" } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 22:15:01,484", "eid": 343, "data": { "file": "C:\\Users\\Rajesh\\Downloads\\desktop.ini" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 344, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 345, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": "C:\\Users\\Rajesh" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 346, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 347, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Name", "content": "UsersFilesFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 348, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 349, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 350, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 351, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\ParsingName", "content": "::{59031a47-3f72-44a7-89c5-5595fe6b30ee}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 352, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 353, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 354, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 355, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 356, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 357, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 358, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 359, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 360, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 361, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 362, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 363, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 364, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 365, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 366, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 367, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\Attributes", "content": "18446744073449767213" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 368, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\CallForAttributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 369, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\RestrictedAttributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 370, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\ShellFolder\\FolderValueFlags", "content": "5243433" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 371, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 372, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\Windows.Storage.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 373, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\ValidateRegItems", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 374, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\MonitorRegistry", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 375, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders\\StorageDelegateSuppressionPolicy", "content": "{92803FB4-7706-4035-ACD7-F63E069D3697}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,500", "eid": 376, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\PreventItemCreationInUsersFilesFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,515", "eid": 377, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\PreventItemCreationInUsersFilesFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,515", "eid": 378, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UsersFiles\\NameSpace\\DelegateFolders\\StorageDelegate", "content": "{DFFACDC5-679F-4156-8947-C5C76BC0B67F}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,515", "eid": 379, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\Windows.Storage.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,515", "eid": 380, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\CLSID", "content": "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,515", "eid": 381, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\Windows.Storage.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,515", "eid": 382, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\\InProcServer32\\LoadWithoutCOM", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,515", "eid": 383, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,515", "eid": 384, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\Attributes", "content": "17" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,515", "eid": 385, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\DescriptionID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,515", "eid": 386, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\HelpTopic", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,515", "eid": 387, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\AllowChildAliasRegistration", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,515", "eid": 388, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\RecursiveSearch", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 389, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\TargetKnownFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 390, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\\Instance\\InitPropertyBag\\TargetKnownFolder", "content": "{5E6C858F-0E22-4760-9AFE-EA3317B67173}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 391, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\windows.storage.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 392, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 393, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Name", "content": "Searches" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 394, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 395, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 396, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\RelativePath", "content": "Searches" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 397, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 398, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\ParsingName", "content": "::{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\{7d1d3a04-debb-4115-95cf-2f29da2920da}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 399, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 400, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-9031" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 401, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-18" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 402, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 403, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 404, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 405, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 406, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 407, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 408, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 409, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\PublishExpandedPath", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 410, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 411, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 412, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\FolderTypeID", "content": "{0b0ba2e3-405f-415e-a6ee-cad625207853}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 413, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d1d3a04-debb-4115-95cf-2f29da2920da}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 414, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 415, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 416, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": "C:\\Users\\Rajesh" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 417, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 418, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name", "content": "Windows" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 419, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 420, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 421, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 422, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 423, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 424, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 425, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 426, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 427, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 428, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 429, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 430, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 431, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 432, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 433, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 434, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 435, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 436, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 437, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 438, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 439, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Name", "content": "ProgramFilesCommon" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 440, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 441, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 442, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 443, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 444, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 445, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 446, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 447, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 448, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 449, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 450, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 451, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 452, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 453, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 454, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 455, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 456, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 457, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 458, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 459, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 460, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Name", "content": "MusicLibrary" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 461, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\ParentFolder", "content": "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 462, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 463, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\RelativePath", "content": "Music.library-ms" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 464, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 465, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\ParsingName", "content": "::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 466, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\InfoTip", "content": "@%SystemRoot%\\system32\\shell32.dll,-12689" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 467, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-34584" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 468, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-1004" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 469, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 470, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\StreamResource", "content": "%SystemRoot%\\system32\\shell32.dll,-2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 471, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\StreamResourceType", "content": "LIBRARY" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 472, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 473, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 474, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 475, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Stream", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 476, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 477, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 478, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,531", "eid": 479, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 480, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2112AB0A-C86A-4ffe-A368-0DE96E47012E}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 481, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 482, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Name", "content": "PublicLibraries" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 483, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\ParentFolder", "content": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 484, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 485, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\RelativePath", "content": "Libraries" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 486, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 487, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 488, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 489, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 490, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 491, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 492, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 493, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 494, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 495, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 496, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 497, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 498, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 499, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\Attributes", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 500, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 501, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{48daf80b-e6cf-4f4e-b800-0e69d84ee384}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 502, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 503, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Name", "content": "Common Desktop" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 504, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParentFolder", "content": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 505, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 506, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\RelativePath", "content": "Desktop" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 507, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 508, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 509, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21799" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 510, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 511, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Security", "content": "D:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;IU)(A;OICI;FA;;;SY)" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 512, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 513, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 514, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 515, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 516, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 517, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 518, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 519, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 520, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Attributes", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 521, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 522, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 523, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 524, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Name", "content": "AppDataDocuments" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 525, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\ParentFolder", "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 526, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 527, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\RelativePath", "content": "Documents" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 528, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 529, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 530, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 531, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 532, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 533, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 534, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 535, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 536, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 537, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 538, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 539, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 540, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 541, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 542, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 543, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 544, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 545, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Name", "content": "CD Burning" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 546, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\ParentFolder", "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 547, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 548, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\RelativePath", "content": "Microsoft\\Windows\\Burn\\Burn" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 549, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 550, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 551, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21815" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 552, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 553, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 554, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 555, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 556, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\LocalRedirectOnly", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 557, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 558, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 559, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 560, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 561, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 562, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 563, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 564, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9E52AB10-F80D-49DF-ACB8-4330F5687855}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 565, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 566, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Name", "content": "SavedPicturesLibrary" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 567, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\ParentFolder", "content": "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 568, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 569, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\RelativePath", "content": "SavedPictures.library-ms" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 570, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 571, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\ParsingName", "content": "::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 572, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 573, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-34583" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 574, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 575, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 576, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\StreamResource", "content": "%SystemRoot%\\system32\\shell32.dll,-6" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 577, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\StreamResourceType", "content": "LIBRARY" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 578, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 579, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 580, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 581, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Stream", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 582, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 583, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 584, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 585, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 586, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E25B5812-BE88-4bd9-94B0-29233477B6C3}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 587, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 588, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Name", "content": "MAPIFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 589, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 590, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 591, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 592, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\ParsingName", "content": "shell:::{89D83576-6BD1-4C86-9454-BEB04E94C819}\\*" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 593, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 594, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 595, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 596, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 597, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 598, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 599, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 600, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 601, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 602, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 603, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 604, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 605, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 606, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 607, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{98EC0E18-2098-4D44-8644-66979315A281}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 608, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 609, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Name", "content": "Common Start Menu" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 610, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\ParentFolder", "content": "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 611, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 612, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\RelativePath", "content": "Microsoft\\Windows\\Start Menu" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 613, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 614, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 615, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21786" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 616, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 617, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 618, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 619, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 620, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 621, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 622, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 623, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 624, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 625, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 626, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 627, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 628, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 629, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 630, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Name", "content": "My Video" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 631, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 632, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 633, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\RelativePath", "content": "Videos" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 634, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 635, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\ParsingName", "content": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{A0953C92-50DC-43BF-BE83-3742FED03C9C}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 636, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\InfoTip", "content": "@%SystemRoot%\\system32\\shell32.dll,-12690" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 637, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-21791" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 638, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-189" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 639, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 640, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 641, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 642, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 643, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Roamable", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 644, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 645, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 646, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 647, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 648, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 649, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 650, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 651, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PropertyBag\\ThisPCPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 652, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\\PropertyBag\\ThisPCPolicy", "content": "Hide" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 653, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 654, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 655, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Name", "content": "Quick Launch" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 656, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\ParentFolder", "content": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 657, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 658, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\RelativePath", "content": "Microsoft\\Internet Explorer\\Quick Launch" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 659, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 660, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 661, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 662, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 663, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 664, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 665, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 666, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 667, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 668, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 669, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 670, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 671, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 672, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 673, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 674, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 675, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 676, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Name", "content": "ProgramFilesCommonX86" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 677, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 678, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 679, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,547", "eid": 680, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 681, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 682, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 683, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 684, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 685, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 686, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 687, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 688, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 689, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 690, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 691, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 692, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 693, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 694, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 695, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE974D24-D9C6-4D3E-BF91-F4455120B917}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 696, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 697, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Name", "content": "3D Objects" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 698, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\ParentFolder", "content": "{5E6C858F-0E22-4760-9AFE-EA3317B67173}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 699, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 700, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\RelativePath", "content": "3D Objects" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 701, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 702, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 703, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-21825" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 704, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-198" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 705, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 706, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 707, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 708, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 709, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 710, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 711, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 712, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 713, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 714, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 715, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\FolderTypeID", "content": "{b3690e58-e961-423b-b687-386ebfd83239}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 716, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 717, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 718, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 719, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": "C:\\Users\\Rajesh" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 720, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 721, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Name", "content": "ConnectionsFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 722, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 723, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 724, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 725, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 726, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\ParsingName", "content": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 727, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 728, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 729, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 730, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 731, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 732, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 733, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 734, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 735, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 736, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 737, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 738, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 739, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 740, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 741, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 742, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 743, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Name", "content": "PrintersFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 744, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 745, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 746, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 747, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 748, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\ParsingName", "content": "::{21EC2020-3AEA-1069-A2DD-08002B30309D}\\::{2227A280-3AEA-1069-A2DE-08002B30309D}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 749, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 750, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 751, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 752, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 753, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 754, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 755, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 756, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 757, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 758, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 759, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 760, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 761, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 762, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 763, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{76FC4E2D-D6AD-4519-A663-37BD56068185}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 764, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 765, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Name", "content": "VideosLibrary" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 766, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\ParentFolder", "content": "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 767, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 768, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\RelativePath", "content": "Videos.library-ms" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 769, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 770, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\ParsingName", "content": "::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\{491E922F-5643-4af4-A7EB-4E7A138D8174}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 771, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\InfoTip", "content": "@%SystemRoot%\\system32\\shell32.dll,-12690" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 772, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-34620" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 773, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-1005" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 774, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 775, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\StreamResource", "content": "%SystemRoot%\\system32\\shell32.dll,-4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 776, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\StreamResourceType", "content": "LIBRARY" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 777, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 778, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 779, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 780, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Stream", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 781, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 782, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 783, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 784, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 785, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{491E922F-5643-4af4-A7EB-4E7A138D8174}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 786, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 787, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Name", "content": "My Pictures" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 788, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 789, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 790, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\RelativePath", "content": "Pictures" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,562", "eid": 791, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 792, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\ParsingName", "content": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 793, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\InfoTip", "content": "@%SystemRoot%\\system32\\shell32.dll,-12688" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 794, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-21779" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 795, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-113" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 796, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 797, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 798, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 799, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 800, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Roamable", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 801, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 802, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 803, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 804, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 805, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 806, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 807, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 808, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PropertyBag\\ThisPCPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 809, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{33E28130-4E1E-4676-835A-98395C3BC3BB}\\PropertyBag\\ThisPCPolicy", "content": "Hide" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 810, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 811, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 812, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Name", "content": "ResourceDir" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 813, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 814, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 815, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 816, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 817, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 818, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 819, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 820, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 821, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 822, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 823, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 824, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 825, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 826, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 827, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 828, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 829, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 830, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 831, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8AD10C31-2ADB-4296-A8F7-E4701232C972}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 832, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 833, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Name", "content": "Common Startup" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 834, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParentFolder", "content": "{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 835, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 836, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\RelativePath", "content": "StartUp" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 837, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 838, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 839, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21787" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 840, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 841, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 842, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 843, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 844, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 845, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 846, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 847, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 848, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 849, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 850, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 851, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 852, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 853, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 854, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Name", "content": "PublicGameTasks" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 855, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\ParentFolder", "content": "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 856, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 857, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\RelativePath", "content": "Microsoft\\Windows\\GameExplorer" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 858, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 859, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 860, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 861, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 862, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 863, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 864, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 865, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\LocalRedirectOnly", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 866, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 867, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 868, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 869, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 870, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 871, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 872, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 873, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DEBF2536-E1A8-4c59-B6A2-414586476AEA}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 874, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 875, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Name", "content": "SyncSetupFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 876, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 877, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 878, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 879, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 880, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\ParsingName", "content": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\\::{F1390A9A-A3F4-4E5D-9C5F-98F3BD8D935C}," } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 881, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 882, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 883, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 884, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 885, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 886, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 887, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 888, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 889, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 890, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 891, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 892, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 893, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 894, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 895, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 896, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 897, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Name", "content": "CommonVideo" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 898, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\ParentFolder", "content": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 899, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 900, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\RelativePath", "content": "Videos" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 901, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 902, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\InfoTip", "content": "@%SystemRoot%\\system32\\shell32.dll,-12690" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 903, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21804" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 904, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 905, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 906, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 907, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 908, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 909, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 910, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 911, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 912, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 913, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 914, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 915, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,578", "eid": 916, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2400183A-6185-49FB-A2D8-4A392A602BA3}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 917, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PropertyBag\\ThisPCPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 918, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 919, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Name", "content": "History" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 920, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\ParentFolder", "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 921, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 922, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\RelativePath", "content": "Microsoft\\Windows\\History" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 923, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 924, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 925, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 926, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 927, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 928, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 929, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 930, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\LocalRedirectOnly", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 931, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 932, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 933, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 934, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 935, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 936, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 937, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 938, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D9DC8A3B-B784-432E-A781-5A1130A75963}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 939, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 940, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Name", "content": "SyncResultsFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 941, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 942, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 943, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 944, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 945, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\ParsingName", "content": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\\::{BC48B32F-5910-47F5-8570-5074A8A5636A}," } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 946, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 947, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 948, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 949, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 950, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 951, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 952, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 953, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 954, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 955, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 956, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 957, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 958, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 959, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 960, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{289A9A43-BE44-4057-A41B-587A76D7E7F9}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 961, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 962, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Name", "content": "ConflictFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 963, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 964, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 965, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 966, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 967, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\ParsingName", "content": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\\::{E413D040-6788-4C22-957E-175D1C513A34}," } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 968, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 969, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 970, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 971, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 972, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 973, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 974, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 975, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 976, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 977, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 978, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 979, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 980, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 981, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 982, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BFEFB45-347D-4006-A5BE-AC0CB0567192}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 983, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 984, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Name", "content": "RecycleBinFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 985, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 986, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 987, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 988, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\ParsingName", "content": "::{645FF040-5081-101B-9F08-00AA002F954E}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 989, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 990, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 991, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 992, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 993, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 994, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 995, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 996, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 997, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 998, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 999, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1000, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1001, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1002, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1003, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1004, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1005, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Name", "content": "CSCFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1006, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1007, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1008, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1009, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\ParsingName", "content": "shell:::{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\*" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1010, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1011, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1012, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1013, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1014, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1015, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1016, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1017, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1018, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1019, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1020, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1021, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1022, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1023, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,593", "eid": 1024, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1025, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1026, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Name", "content": "Ringtones" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1027, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\ParentFolder", "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1028, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1029, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\RelativePath", "content": "Microsoft\\Windows\\Ringtones" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1030, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1031, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1032, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1033, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1034, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1035, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1036, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1037, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1038, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1039, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1040, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1041, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1042, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1043, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1044, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1045, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C870044B-F49E-4126-A9C3-B52A1FF411E8}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1046, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1047, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Name", "content": "Common Programs" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1048, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\ParentFolder", "content": "{A4115719-D62E-491D-AA7C-E74B8BE3B067}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1049, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1050, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\RelativePath", "content": "Programs" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1051, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1052, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1053, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21782" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1054, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1055, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1056, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1057, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1058, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1059, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1060, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1061, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1062, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1063, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1064, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1065, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1066, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1067, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1068, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Name", "content": "NetHood" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1069, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\ParentFolder", "content": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1070, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1071, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\RelativePath", "content": "Microsoft\\Windows\\Network Shortcuts" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1072, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1073, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1074, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1075, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1076, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1077, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1078, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1079, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1080, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1081, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1082, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1083, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1084, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1085, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1086, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1087, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C5ABBF53-E17F-4121-8900-86626FC2C973}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1088, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1089, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Name", "content": "Contacts" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1090, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1091, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1092, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\RelativePath", "content": "Contacts" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1093, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1094, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\ParsingName", "content": "::{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\{56784854-C6CB-462B-8169-88E350ACB882}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1095, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\InfoTip", "content": "@%CommonProgramFiles%\\system\\wab32res.dll,-10200" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1096, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\LocalizedName", "content": "@%CommonProgramFiles%\\system\\wab32res.dll,-10100" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1097, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-181" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1098, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1099, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1100, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1101, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1102, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Roamable", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1103, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1104, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1105, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\PublishExpandedPath", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1106, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1107, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1108, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\FolderTypeID", "content": "{de2b70ec-9bf7-4a93-bd3d-243f7881d492}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1109, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1110, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{56784854-C6CB-462B-8169-88E350ACB882}\\PropertyBag\\ThisPCPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,609", "eid": 1111, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{56784854-C6CB-462B-8169-88E350ACB882}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1112, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1113, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": "C:\\Users\\Rajesh" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1114, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1115, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Name", "content": "UserProgramFilesCommon" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1116, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\ParentFolder", "content": "{5cd7aee2-2219-4a67-b85d-6c9ce15660cb}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1117, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1118, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\RelativePath", "content": "Common" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1119, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1120, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1121, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1122, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1123, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1124, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1125, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1126, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1127, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1128, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1129, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1130, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1131, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1132, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1133, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1134, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcbd3057-ca5c-4622-b42d-bc56db0ae516}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1135, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1136, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Name", "content": "Roaming Tiles" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1137, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\ParentFolder", "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1138, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1139, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\RelativePath", "content": "Microsoft\\Windows\\RoamingTiles" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1140, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1141, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1142, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1143, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1144, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1145, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1146, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1147, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1148, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1149, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1150, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1151, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\PublishExpandedPath", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1152, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1153, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1154, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1155, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{00BCFC5A-ED94-4e48-96A1-3F6217F21990}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1156, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PropertyBag\\ThisPCPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1157, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PropertyBag\\ThisPCPolicy", "content": "Show" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1158, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PropertyBag\\BaseFolderId", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1159, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0ddd015d-b06c-45d5-8c4c-f59713854639}\\PropertyBag\\BaseFolderId", "content": "{33E28130-4E1E-4676-835A-98395C3BC3BB}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1160, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1161, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1162, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Name", "content": "UsersLibrariesFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1163, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1164, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1165, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1166, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\ParsingName", "content": "::{031E4825-7B94-4dc3-B131-E946B44C8DD5}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1167, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1168, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1169, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1170, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1171, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1172, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1173, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1174, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1175, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1176, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1177, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1178, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1179, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1180, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1181, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A302545D-DEFF-464b-ABE8-61C8648D939B}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1182, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1183, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Name", "content": "Cookies" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1184, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\ParentFolder", "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1185, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1186, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\RelativePath", "content": "Microsoft\\Windows\\INetCookies" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1187, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1188, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1189, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1190, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1191, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1192, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1193, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1194, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1195, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1196, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1197, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1198, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1199, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1200, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1201, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1202, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1203, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1204, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Name", "content": "LocalizedResourcesDir" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1205, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1206, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1207, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1208, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1209, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1210, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1211, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1212, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1213, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1214, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1215, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1216, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1217, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1218, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1219, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1220, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1221, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1222, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1223, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1224, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1225, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Name", "content": "CommonRingtones" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1226, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\ParentFolder", "content": "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1227, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1228, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\RelativePath", "content": "Microsoft\\Windows\\Ringtones" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1229, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1230, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1231, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1232, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1233, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1234, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1235, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1236, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1237, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1238, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1239, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1240, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1241, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1242, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1243, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1244, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1245, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1246, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Name", "content": "GameTasks" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1247, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\ParentFolder", "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1248, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1249, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\RelativePath", "content": "Microsoft\\Windows\\GameExplorer" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1250, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1251, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1252, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1253, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1254, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1255, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1256, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1257, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\LocalRedirectOnly", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1258, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1259, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1260, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1261, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1262, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1263, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1264, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,625", "eid": 1265, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{054FAE61-4DD8-4787-80B6-090220C4B700}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1266, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1267, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Name", "content": "Favorites" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1268, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1269, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1270, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\RelativePath", "content": "Favorites" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1271, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1272, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1273, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21796" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1274, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-115" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1275, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1276, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1277, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1278, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1279, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Roamable", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1280, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1281, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1282, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\PublishExpandedPath", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1283, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1284, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1285, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1286, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1287, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Favorites", "content": "%USERPROFILE%\\Favorites" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1288, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PropertyBag\\ThisPCPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1289, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PropertyBag\\ThisPCPolicy", "content": "Show" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1290, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PropertyBag\\BaseFolderId", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1291, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\\PropertyBag\\BaseFolderId", "content": "{18989B1D-99B5-455B-841C-AB7C74E4DDFC}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1292, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1293, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1294, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Name", "content": "HomeGroupFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1295, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1296, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1297, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1298, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\ParsingName", "content": "::{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1299, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1300, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1301, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-1013" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1302, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1303, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1304, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1305, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1306, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1307, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1308, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1309, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1310, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1311, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1312, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1313, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{52528A6B-B9E3-4add-B60D-588C2DBA842D}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1314, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1315, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Name", "content": "SendTo" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1316, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\ParentFolder", "content": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1317, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1318, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\RelativePath", "content": "Microsoft\\Windows\\SendTo" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1319, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1320, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1321, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1322, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1323, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1324, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1325, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1326, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1327, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1328, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1329, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1330, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1331, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1332, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1333, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1334, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{8983036C-27C0-404B-8F08-102D10DCFD74}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1335, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1336, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Name", "content": "PublicAccountPictures" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1337, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\ParentFolder", "content": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1338, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1339, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\RelativePath", "content": "AccountPictures" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1340, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1341, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1342, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\LocalizedName", "content": "@C:\\Windows\\SysWOW64\\Windows.UI.Immersive.dll,-38304" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1343, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1344, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1345, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1346, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1347, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1348, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1349, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1350, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1351, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1352, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1353, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\Attributes", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1354, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1355, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0482af6c-08f1-4c34-8c90-e17ec98b1e17}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1356, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1357, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Name", "content": "ImplicitAppShortcuts" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1358, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\ParentFolder", "content": "{9e3995ab-1f9c-4f13-b827-48b24b6c7174}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1359, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1360, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\RelativePath", "content": "ImplicitAppShortcuts" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1361, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1362, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1363, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1364, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1365, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1366, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1367, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1368, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1369, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1370, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1371, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1372, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1373, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1374, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1375, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1376, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{bcb5256f-79f6-4cee-b725-dc34e402fd46}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,640", "eid": 1377, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1378, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Name", "content": "Administrative Tools" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1379, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\ParentFolder", "content": "{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1380, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1381, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\RelativePath", "content": "Administrative Tools" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1382, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1383, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1384, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21762" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1385, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1386, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1387, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1388, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1389, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1390, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1391, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1392, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1393, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1394, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1395, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1396, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1397, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{724EF170-A42D-4FEF-9F26-B60E846FBA4F}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1398, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1399, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Name", "content": "My Music" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1400, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1401, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1402, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\RelativePath", "content": "Music" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1403, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1404, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\ParsingName", "content": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{1CF1260C-4DD0-4EBB-811F-33C572699FDE}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1405, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\InfoTip", "content": "@%SystemRoot%\\system32\\shell32.dll,-12689" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1406, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-21790" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1407, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-108" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1408, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1409, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1410, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1411, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1412, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Roamable", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1413, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1414, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1415, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1416, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1417, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1418, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1419, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1420, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PropertyBag\\ThisPCPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1421, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4BD8D571-6D19-48D3-BE97-422220080E43}\\PropertyBag\\ThisPCPolicy", "content": "Hide" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1422, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1423, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1424, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Name", "content": "AddNewProgramsFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1425, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1426, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1427, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1428, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1429, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\ParsingName", "content": "shell:::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{15eae92e-f17a-4431-9f28-805e482dafd4}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1430, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1431, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1432, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1433, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1434, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1435, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1436, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1437, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1438, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1439, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1440, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1441, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1442, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1443, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1444, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{de61d971-5ebc-4f02-a3a9-6c82895e5c04}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1445, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1446, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Name", "content": "Captures" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1447, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\ParentFolder", "content": "{18989B1D-99B5-455B-841C-AB7C74E4DDFC}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1448, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1449, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\RelativePath", "content": "Captures" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1450, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1451, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1452, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-21826" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1453, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1454, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1455, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1456, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1457, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1458, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1459, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1460, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1461, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1462, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1463, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1464, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1465, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{EDC0FE71-98D8-4F4A-B920-C8DC133CB165}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1466, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1467, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Name", "content": "UserProfiles" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1468, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1469, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1470, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1471, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1472, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1473, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21813" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1474, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1475, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1476, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Security", "content": "D:P(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;WD)" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1477, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1478, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1479, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1480, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1481, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1482, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1483, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1484, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1485, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1486, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1487, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0762D272-C50A-4BB0-A382-697DCD729B80}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1488, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1489, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Name", "content": "InternetFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1490, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1491, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1492, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1493, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\ParsingName", "content": "::{871C5380-42A0-1069-A2EA-08002B30309D}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1494, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1495, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1496, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1497, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1498, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1499, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1500, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1501, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1502, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1503, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1504, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1505, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1506, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1507, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,656", "eid": 1508, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1509, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1510, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Name", "content": "CameraRollLibrary" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1511, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\ParentFolder", "content": "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1512, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1513, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\RelativePath", "content": "CameraRoll.library-ms" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1514, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1515, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\ParsingName", "content": "::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\{2B20DF75-1EDA-4039-8097-38798227D5B7}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1516, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1517, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-34582" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1518, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1519, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1520, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\StreamResource", "content": "%SystemRoot%\\system32\\shell32.dll,-5" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1521, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\StreamResourceType", "content": "LIBRARY" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1522, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1523, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1524, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1525, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Stream", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1526, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1527, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1528, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1529, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1530, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2B20DF75-1EDA-4039-8097-38798227D5B7}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1531, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1532, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name", "content": "System" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1533, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1534, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1535, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1536, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1537, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1538, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1539, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1540, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1541, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1542, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1543, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1544, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1545, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1546, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1547, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1548, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1549, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1550, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1551, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1552, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1553, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Name", "content": "Programs" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1554, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\ParentFolder", "content": "{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1555, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1556, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\RelativePath", "content": "Programs" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1557, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1558, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1559, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21782" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1560, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1561, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1562, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1563, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1564, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1565, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1566, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1567, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1568, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1569, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1570, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1571, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1572, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1573, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1574, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Name", "content": "AppDataDesktop" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1575, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\ParentFolder", "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1576, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1577, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\RelativePath", "content": "Desktop" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1578, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1579, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1580, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1581, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1582, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1583, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1584, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1585, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1586, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1587, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1588, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1589, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1590, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1591, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1592, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1593, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B2C5E279-7ADD-439F-B28C-C41FE1BBF672}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1594, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1595, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Name", "content": "Camera Roll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1596, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\ParentFolder", "content": "{33E28130-4E1E-4676-835A-98395C3BC3BB}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1597, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1598, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\RelativePath", "content": "Camera Roll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1599, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1600, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1601, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-21824" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1602, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1603, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1604, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1605, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1606, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1607, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1608, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1609, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1610, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1611, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1612, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1613, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1614, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AB5FB87B-7CE2-4F83-915D-550846C9537B}\\InitFolderHandler", "content": "{B26388EA-AD62-430f-AF5C-CFA63BFE94A6}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1615, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1616, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Name", "content": "MyComputerFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1617, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1618, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1619, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1620, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\ParsingName", "content": "::{20D04FE0-3AEA-1069-A2D8-08002B30309D}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1621, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1622, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1623, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1624, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1625, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1626, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1627, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1628, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1629, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1630, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1631, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1632, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1633, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1634, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1635, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1636, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1637, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Name", "content": "Common Administrative Tools" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1638, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\ParentFolder", "content": "{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1639, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1640, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\RelativePath", "content": "Administrative Tools" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1641, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1642, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1643, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21762" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1644, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1645, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1646, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1647, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1648, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1649, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1650, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1651, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1652, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1653, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1654, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1655, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1656, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D0384E7D-BAC3-4797-8F14-CBA229B392B5}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1657, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1658, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Name", "content": "DocumentsLibrary" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1659, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\ParentFolder", "content": "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1660, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1661, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\RelativePath", "content": "Documents.library-ms" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1662, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1663, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\ParsingName", "content": "::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1664, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1665, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-34575" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1666, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-1002" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1667, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1668, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\StreamResource", "content": "%SystemRoot%\\system32\\shell32.dll,-1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1669, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\StreamResourceType", "content": "LIBRARY" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,672", "eid": 1670, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1671, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1672, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1673, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Stream", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1674, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1675, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1676, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1677, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1678, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7b0db17d-9cd2-4a93-9733-46cc89022e7c}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1679, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1680, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Name", "content": "Application Shortcuts" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1681, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\ParentFolder", "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1682, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1683, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\RelativePath", "content": "Microsoft\\Windows\\Application Shortcuts" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1684, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1685, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1686, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-50704" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1687, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1688, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1689, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1690, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1691, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1692, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1693, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1694, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1695, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1696, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1697, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1698, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1699, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A3918781-E5F2-4890-B3D9-A7E54332328C}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1700, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1701, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Name", "content": "Recent" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1702, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\ParentFolder", "content": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1703, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1704, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\RelativePath", "content": "Microsoft\\Windows\\Recent" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1705, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1706, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\InfoTip", "content": "@shell32,dll,-12692" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1707, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21797" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1708, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-117" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1709, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1710, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1711, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1712, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1713, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1714, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1715, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1716, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1717, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1718, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1719, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1720, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1721, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1722, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Name", "content": "Screenshots" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1723, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\ParentFolder", "content": "{33E28130-4E1E-4676-835A-98395C3BC3BB}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1724, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1725, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\RelativePath", "content": "Screenshots" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1726, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1727, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1728, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-21823" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1729, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1730, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1731, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1732, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1733, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1734, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1735, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1736, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1737, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1738, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1739, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1740, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1741, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{b7bede81-df94-4682-a7d8-57a52620b86f}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1742, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1743, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Name", "content": "SavedPictures" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1744, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\ParentFolder", "content": "{33E28130-4E1E-4676-835A-98395C3BC3BB}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1745, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1746, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\RelativePath", "content": "Saved Pictures" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1747, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1748, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1749, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-34583" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1750, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1751, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1752, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1753, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1754, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1755, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1756, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1757, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1758, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1759, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1760, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1761, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1762, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3B193882-D3AD-4eab-965A-69829D1FB59F}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1763, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1764, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Name", "content": "Common AppData" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1765, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1766, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1767, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1768, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1769, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1770, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1771, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1772, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1773, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1774, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1775, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1776, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1777, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1778, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1779, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1780, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1781, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1782, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1783, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1784, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1785, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Name", "content": "Local AppData" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1786, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1787, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1788, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\RelativePath", "content": "AppData\\Local" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1789, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1790, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1791, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1792, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1793, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1794, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1795, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1796, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalRedirectOnly", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1797, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1798, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1799, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1800, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PublishExpandedPath", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1801, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1802, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1803, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1804, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1805, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1806, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Name", "content": "ThisPCDesktopFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1807, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1808, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1809, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\RelativePath", "content": "Desktop" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1810, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1811, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\ParsingName", "content": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1812, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1813, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21769" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1814, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-183" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1815, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1816, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,687", "eid": 1817, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1818, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1819, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Roamable", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1820, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\PreCreate", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1821, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1822, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1823, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1824, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1825, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1826, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1827, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1828, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1829, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": "C:\\Users\\Rajesh" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1830, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1831, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Name", "content": "CommonPictures" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1832, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\ParentFolder", "content": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1833, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1834, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\RelativePath", "content": "Pictures" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1835, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1836, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\InfoTip", "content": "@%SystemRoot%\\system32\\shell32.dll,-12688" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1837, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21802" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1838, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1839, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1840, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1841, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1842, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1843, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1844, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1845, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1846, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1847, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1848, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1849, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1850, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1851, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1852, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Name", "content": "AppsFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1853, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1854, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1855, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1856, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParsingName", "content": "shell:::{4234d49b-0245-4df3-b780-3893943456e1}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1857, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1858, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1859, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1860, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1861, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1862, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1863, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1864, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1865, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1866, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1867, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1868, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1869, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1870, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1871, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1872, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1873, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Name", "content": "PrintHood" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1874, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\ParentFolder", "content": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1875, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1876, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\RelativePath", "content": "Microsoft\\Windows\\Printer Shortcuts" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1877, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1878, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1879, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1880, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1881, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1882, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1883, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1884, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1885, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1886, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1887, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1888, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1889, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1890, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1891, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1892, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1893, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1894, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Name", "content": "Development Files" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1895, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\ParentFolder", "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1896, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1897, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\RelativePath", "content": "DevelopmentFiles" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1898, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1899, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1900, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1901, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1902, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,703", "eid": 1903, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1904, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1905, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1906, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1907, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1908, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1909, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1910, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1911, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1912, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1913, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DBE8E08E-3053-4BBC-B183-2A7B2B191E59}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1914, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1915, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Name", "content": "PhotoAlbums" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1916, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\ParentFolder", "content": "{33E28130-4E1E-4676-835A-98395C3BC3BB}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1917, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1918, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\RelativePath", "content": "Slide Shows" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1919, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1920, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1921, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21819" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1922, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1923, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1924, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1925, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1926, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1927, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1928, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1929, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1930, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1931, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1932, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1933, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1934, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1935, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1936, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Name", "content": "Downloads" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1937, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1938, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1939, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\RelativePath", "content": "Downloads" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1940, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1941, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\ParsingName", "content": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{374DE290-123F-4565-9164-39C4925E467B}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1942, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1943, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-21798" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1944, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-184" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1945, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Security", "content": "S:AI(RA;IOOICI;;;;WD;(\"IMAGELOAD\",TU,0x0,0x01))" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1946, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1947, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1948, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1949, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Roamable", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1950, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1951, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1952, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PublishExpandedPath", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1953, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1954, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1955, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\FolderTypeID", "content": "{885A186E-A440-4ADA-812B-DB871B942259}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1956, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1957, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PropertyBag\\ThisPCPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1958, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{374DE290-123F-4565-9164-39C4925E467B}\\PropertyBag\\ThisPCPolicy", "content": "Hide" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,718", "eid": 1959, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1960, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1961, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Name", "content": "AppMods" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1962, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\ParentFolder", "content": "{5E6C858F-0E22-4760-9AFE-EA3317B67173}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1963, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1964, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\RelativePath", "content": "AppMods" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1965, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1966, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1967, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-21829" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1968, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1969, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1970, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1971, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1972, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1973, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1974, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1975, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1976, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1977, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1978, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1979, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\FolderTypeID", "content": "{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1980, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1981, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{7AD67899-66AF-43BA-9156-6AAD42E6C596}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1982, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1983, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": "C:\\Users\\Rajesh" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1984, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PropertyBag\\ThisPCPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1985, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PropertyBag\\ThisPCPolicy", "content": "Show" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1986, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PropertyBag\\BaseFolderId", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1987, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a0c69a99-21c8-4671-8703-7934162fcf1d}\\PropertyBag\\BaseFolderId", "content": "{4BD8D571-6D19-48D3-BE97-422220080E43}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1988, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1989, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1990, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Name", "content": "AppUpdatesFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1991, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1992, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1993, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1994, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1995, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\ParsingName", "content": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{7b81be6a-ce2b-4676-a29e-eb907a5126c5}\\::{d450a8a1-9568-45c7-9c0e-b4f9fb4537bd}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1996, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1997, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1998, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 1999, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 2000, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 2001, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 2002, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 2003, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 2004, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 2005, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 2006, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 2007, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 2008, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 2009, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,734", "eid": 2010, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{a305ce99-f527-492b-8b1a-7e76fa98d6e4}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2011, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2012, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Name", "content": "CommonDownloads" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2013, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\ParentFolder", "content": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2014, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2015, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\RelativePath", "content": "Downloads" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2016, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2017, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2018, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21808" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2019, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2020, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2021, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2022, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2023, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2024, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2025, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2026, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2027, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2028, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2029, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2030, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2031, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2032, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PropertyBag\\ThisPCPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2033, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PropertyBag\\ThisPCPolicy", "content": "Show" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2034, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PropertyBag\\BaseFolderId", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2035, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\\PropertyBag\\BaseFolderId", "content": "{374DE290-123F-4565-9164-39C4925E467B}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2036, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2037, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2038, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Name", "content": "Common Start Menu Places" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2039, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\ParentFolder", "content": "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2040, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2041, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\RelativePath", "content": "Microsoft\\Windows\\Start Menu Places" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2042, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2043, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2044, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21786" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2045, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2046, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2047, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2048, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2049, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2050, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2051, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2052, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2053, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2054, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2055, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2056, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2057, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A440879F-87A0-4F7D-B700-0207B966194A}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2058, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2059, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Name", "content": "PicturesLibrary" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2060, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\ParentFolder", "content": "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2061, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2062, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\RelativePath", "content": "Pictures.library-ms" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2063, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2064, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\ParsingName", "content": "::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\{A990AE9F-A03B-4e80-94BC-9912D7504104}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2065, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\InfoTip", "content": "@%SystemRoot%\\system32\\shell32.dll,-12688" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2066, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-34595" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2067, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-1003" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2068, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2069, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\StreamResource", "content": "%SystemRoot%\\system32\\shell32.dll,-3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2070, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\StreamResourceType", "content": "LIBRARY" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2071, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2072, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2073, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2074, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Stream", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2075, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2076, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2077, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2078, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2079, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A990AE9F-A03B-4e80-94BC-9912D7504104}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2080, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2081, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Name", "content": "Public" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2082, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2083, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2084, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2085, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2086, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2087, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21816" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2088, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2089, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2090, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Security", "content": "D:PAI(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICIIO;0x1301ff;;;IU)(A;;0x1200af;;;IU)(A;OICIIO;0x1301ff;;;SU)(A;;0x1200af;;;SU)(A;OICIIO;0x1301ff;;;S-1-5-3)(A;;0x1200af;;;S-1-5-3)" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2091, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2092, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2093, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2094, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2095, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2096, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2097, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2098, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2099, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2100, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2101, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DFDF76A2-C82A-4D63-906A-5644AC457385}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2102, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2103, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Name", "content": "RecordedTVLibrary" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2104, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\ParentFolder", "content": "{48daf80b-e6cf-4f4e-b800-0e69d84ee384}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2105, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2106, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\RelativePath", "content": "RecordedTV.library-ms" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2107, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2108, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2109, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-34615" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2110, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-1008" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2111, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2112, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\StreamResource", "content": "%SystemRoot%\\system32\\shell32.dll,-8" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2113, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\StreamResourceType", "content": "LIBRARY" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2114, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2115, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2116, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2117, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Stream", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2118, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2119, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2120, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2121, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2122, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1A6FDBA2-F42D-4358-A798-B74D745926C5}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2123, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2124, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Name", "content": "AppDataProgramData" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2125, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\ParentFolder", "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2126, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2127, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\RelativePath", "content": "ProgramData" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2128, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2129, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2130, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2131, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2132, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2133, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2134, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2135, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2136, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2137, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2138, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2139, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2140, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2141, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2142, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2143, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{559D40A3-A036-40FA-AF61-84CB430A4D34}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2144, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2145, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Name", "content": "HomeGroupCurrentUserFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2146, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2147, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2148, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2149, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\ParsingName", "content": "::{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\$CurrentUser$" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2150, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2151, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2152, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2153, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2154, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2155, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2156, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2157, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2158, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2159, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2160, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2161, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2162, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2163, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2164, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2165, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2166, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Name", "content": "LocalAppDataLow" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2167, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2168, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,750", "eid": 2169, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\RelativePath", "content": "AppData\\LocalLow" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2170, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2171, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2172, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2173, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2174, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Security", "content": "S:(ML;OICI;NW;;;LW)" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2175, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2176, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2177, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\LocalRedirectOnly", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2178, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2179, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2180, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2181, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\PublishExpandedPath", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2182, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2183, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\Attributes", "content": "8192" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2184, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2185, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2186, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2187, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Name", "content": "Roamed Tile Images" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2188, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\ParentFolder", "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2189, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2190, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\RelativePath", "content": "Microsoft\\Windows\\RoamedTileImages" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2191, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2192, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2193, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2194, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2195, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2196, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2197, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2198, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2199, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2200, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2201, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2202, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2203, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2204, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2205, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2206, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2207, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2208, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Name", "content": "CryptoKeys" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2209, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2210, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2211, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2212, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2213, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2214, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2215, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2216, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2217, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2218, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2219, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2220, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2221, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2222, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2223, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2224, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2225, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2226, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2227, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B88F4DAA-E7BD-49a9-B74D-02885A5DC765}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2228, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2229, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Name", "content": "Original Images" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2230, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\ParentFolder", "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2231, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2232, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\RelativePath", "content": "Microsoft\\Windows Photo Gallery\\Original Images" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2233, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2234, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2235, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2236, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2237, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2238, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2239, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2240, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2241, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2242, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2243, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2244, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2245, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2246, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2247, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2248, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2249, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2250, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Name", "content": "User Pinned" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2251, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\ParentFolder", "content": "{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2252, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2253, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\RelativePath", "content": "User Pinned" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2254, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2255, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2256, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2257, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2258, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2259, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2260, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2261, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2262, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2263, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2264, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2265, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2266, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2267, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\Attributes", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2268, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2269, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{9e3995ab-1f9c-4f13-b827-48b24b6c7174}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2270, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2271, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Name", "content": "ChangeRemoveProgramsFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2272, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2273, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2274, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2275, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2276, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\ParsingName", "content": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{7b81be6a-ce2b-4676-a29e-eb907a5126c5}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2277, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2278, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2279, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2280, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2281, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2282, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2283, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2284, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2285, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2286, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2287, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2288, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2289, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2290, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2291, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{df7266ac-9274-4867-8d55-3bd661de872d}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2292, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2293, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Name", "content": "Common Documents" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2294, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\ParentFolder", "content": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2295, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2296, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\RelativePath", "content": "Documents" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2297, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2298, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2299, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21801" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2300, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2301, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2302, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2303, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2304, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2305, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2306, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2307, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2308, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2309, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2310, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2311, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2312, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{ED4824AF-DCE4-45A8-81E2-FC7965083634}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2313, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2314, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name", "content": "SystemX86" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2315, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2316, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2317, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2318, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2319, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2320, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2321, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2322, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2323, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2324, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2325, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2326, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2327, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2328, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2329, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2330, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2331, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2332, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2333, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2334, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2335, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Name", "content": "AccountPictures" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2336, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\ParentFolder", "content": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2337, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2338, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\RelativePath", "content": "Microsoft\\Windows\\AccountPictures" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2339, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2340, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2341, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\LocalizedName", "content": "@C:\\Windows\\SysWOW64\\Windows.UI.Immersive.dll,-38305" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2342, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2343, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2344, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2345, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2346, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2347, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Roamable", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2348, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2349, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2350, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2351, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2352, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2353, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2354, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2355, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2356, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Name", "content": "CommonMusic" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2357, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\ParentFolder", "content": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2358, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2359, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\RelativePath", "content": "Music" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2360, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2361, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\InfoTip", "content": "@%SystemRoot%\\system32\\shell32.dll,-12689" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2362, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21803" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2363, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2364, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2365, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2366, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2367, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2368, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2369, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2370, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2371, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2372, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2373, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2374, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2375, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3214FAB5-9757-4298-BB61-92A9DEAA44FF}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2376, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2377, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Name", "content": "SearchHistoryFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2378, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\ParentFolder", "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2379, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2380, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\RelativePath", "content": "Microsoft\\Windows\\ConnectedSearch\\History" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2381, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2382, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2383, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2384, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2385, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2386, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2387, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2388, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2389, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2390, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2391, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2392, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2393, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2394, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2395, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2396, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2397, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2398, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Name", "content": "ProgramFiles" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2399, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2400, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2401, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2402, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2403, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2404, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21781" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2405, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2406, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2407, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2408, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2409, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2410, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2411, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2412, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2413, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2414, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2415, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2416, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2417, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2418, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2419, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Name", "content": "Fonts" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2420, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\ParentFolder", "content": "{F38BF404-1D43-42F2-9305-67DE0B28FC23}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2421, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,765", "eid": 2422, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2423, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2424, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2425, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2426, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2427, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2428, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2429, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2430, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2431, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2432, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2433, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2434, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2435, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2436, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2437, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2438, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2439, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2440, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Name", "content": "Startup" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2441, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParentFolder", "content": "{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2442, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2443, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\RelativePath", "content": "StartUp" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2444, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2445, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2446, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21787" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2447, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2448, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2449, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2450, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2451, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2452, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2453, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2454, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2455, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2456, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2457, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2458, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2459, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2460, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2461, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Name", "content": "AppDataFavorites" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2462, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\ParentFolder", "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2463, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2464, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\RelativePath", "content": "Favorites" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2465, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2466, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2467, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2468, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2469, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2470, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2471, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2472, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2473, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2474, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2475, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2476, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2477, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2478, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2479, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2480, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7CFBEFBC-DE1F-45AA-B843-A542AC536CC9}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2481, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2482, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Name", "content": "Recorded Calls" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2483, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\ParentFolder", "content": "{5E6C858F-0E22-4760-9AFE-EA3317B67173}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2484, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2485, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\RelativePath", "content": "Recorded Calls" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2486, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2487, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2488, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-21827" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2489, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2490, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2491, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2492, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2493, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2494, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2495, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2496, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2497, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2498, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2499, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2500, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2501, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2502, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{2F8B40C2-83ED-48EE-B383-A1F157EC6F9A}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2503, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2504, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3262678163-160926255-2192883574-1002\\ProfileImagePath", "content": "C:\\Users\\Rajesh" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2505, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2506, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Name", "content": "Start Menu" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2507, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\ParentFolder", "content": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2508, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2509, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\RelativePath", "content": "Microsoft\\Windows\\Start Menu" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2510, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2511, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2512, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21786" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2513, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2514, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2515, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2516, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2517, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2518, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2519, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2520, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2521, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2522, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2523, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2524, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2525, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2526, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2527, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Name", "content": "NetworkPlacesFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2528, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2529, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2530, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2531, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\ParsingName", "content": "::{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2532, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2533, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2534, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2535, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2536, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2537, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2538, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2539, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2540, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2541, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2542, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2543, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2544, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2545, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2546, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2547, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2548, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Name", "content": "Playlists" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2549, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\ParentFolder", "content": "{4BD8D571-6D19-48D3-BE97-422220080E43}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2550, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2551, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\RelativePath", "content": "Playlists" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2552, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2553, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2554, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-21818" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2555, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2556, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2557, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2558, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2559, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2560, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2561, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2562, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2563, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2564, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2565, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2566, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2567, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{DE92C1C7-837F-4F69-A3BB-86E631204A23}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2568, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2569, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Name", "content": "DpapiKeys" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2570, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2571, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2572, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2573, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2574, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2575, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2576, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2577, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2578, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2579, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2580, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2581, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2582, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2583, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2584, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2585, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2586, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2587, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2588, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{10C07CD0-EF91-4567-B850-448B77CB37F9}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2589, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2590, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Name", "content": "Personal" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2591, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2592, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2593, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\RelativePath", "content": "Documents" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2594, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2595, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParsingName", "content": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2596, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2597, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-21770" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2598, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-112" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2599, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2600, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2601, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2602, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2603, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Roamable", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2604, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2605, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2606, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2607, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2608, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2609, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2610, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2611, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PropertyBag\\ThisPCPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2612, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PropertyBag\\ThisPCPolicy", "content": "Hide" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2613, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2614, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2615, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Name", "content": "OEM Links" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2616, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\ParentFolder", "content": "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2617, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2618, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\RelativePath", "content": "OEM Links" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2619, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2620, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2621, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2622, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2623, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2624, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2625, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2626, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2627, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2628, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2629, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2630, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2631, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2632, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2633, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2634, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2635, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2636, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Name", "content": "SearchHomeFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2637, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2638, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2639, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2640, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\ParsingName", "content": "::{9343812e-1c37-4a49-a12e-4b2d810d956b}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2641, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2642, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2643, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2644, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2645, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2646, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2647, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2648, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2649, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2650, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2651, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2652, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2653, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2654, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2655, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{190337d1-b8ca-4121-a639-6d472d16972a}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2656, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PropertyBag\\ThisPCPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2657, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PropertyBag\\ThisPCPolicy", "content": "Show" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2658, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PropertyBag\\BaseFolderId", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2659, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\\PropertyBag\\BaseFolderId", "content": "{FDD39AD0-238F-46AF-ADB4-6C85480369C7}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2660, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisablePersonalDirChange", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2661, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2662, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Name", "content": "ThisDeviceFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2663, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2664, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2665, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2666, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\ParsingName", "content": "::{f8278c54-a712-415b-b593-b77a2be0dda9}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2667, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2668, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2669, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2670, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2671, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2672, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2673, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2674, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2675, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2676, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2677, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2678, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:01,781", "eid": 2679, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\\Attributes", "content": null } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 22:15:01,812", "eid": 2680, "data": { "file": "C:\\Users\\Rajesh\\Searches\\desktop.ini" } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 22:15:01,828", "eid": 2681, "data": { "file": "C:\\Users\\Rajesh\\Contacts\\desktop.ini" } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 22:15:01,828", "eid": 2682, "data": { "file": "C:\\Users\\Rajesh\\Favorites\\desktop.ini" } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 22:15:01,843", "eid": 2683, "data": { "file": "C:\\Users\\Rajesh\\Links\\desktop.ini" } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 22:15:01,843", "eid": 2684, "data": { "file": "C:\\Users\\Rajesh\\Saved Games\\desktop.ini" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,859", "eid": 2685, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,859", "eid": 2686, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,859", "eid": 2687, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 22:15:01,875", "eid": 2688, "data": { "file": "C:\\Users\\desktop.ini" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:01,937", "eid": 2689, "data": { "file": "twext.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:04,781", "eid": 2690, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:04,797", "eid": 2691, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:04,812", "eid": 2692, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:04,843", "eid": 2693, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:04,843", "eid": 2694, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:04,843", "eid": 2695, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,015", "eid": 2696, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,015", "eid": 2697, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,015", "eid": 2698, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,031", "eid": 2699, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,031", "eid": 2700, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,031", "eid": 2701, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 22:15:05,109", "eid": 2702, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,234", "eid": 2703, "data": { "file": "ntshrui.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,265", "eid": 2704, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,265", "eid": 2705, "data": { "file": "ntshrui.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,312", "eid": 2706, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,312", "eid": 2707, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,312", "eid": 2708, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,312", "eid": 2709, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,312", "eid": 2710, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,343", "eid": 2711, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,343", "eid": 2712, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,343", "eid": 2713, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "write", "object": "file", "timestamp": "2026-06-29 22:15:05,359", "eid": 2714, "data": { "file": "\\Device\\NamedPipe\\srvsvc" } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 22:15:05,359", "eid": 2715, "data": { "file": "\\Device\\NamedPipe\\srvsvc" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,359", "eid": 2716, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,359", "eid": 2717, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,359", "eid": 2718, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,375", "eid": 2719, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,375", "eid": 2720, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,375", "eid": 2721, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,375", "eid": 2722, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,406", "eid": 2723, "data": { "file": "ntshrui.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,422", "eid": 2724, "data": { "file": "ntshrui.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,422", "eid": 2725, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,422", "eid": 2726, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,422", "eid": 2727, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,422", "eid": 2728, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 22:15:05,437", "eid": 2729, "data": { "file": "C:\\Windows\\Fonts\\StaticCache.dat" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,437", "eid": 2730, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,437", "eid": 2731, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,437", "eid": 2732, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,453", "eid": 2733, "data": { "file": "7-zip32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 22:15:05,484", "eid": 2734, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\7-Zip\\Lang", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,484", "eid": 2735, "data": { "file": "appresolver.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,500", "eid": 2736, "data": { "file": "acppage.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,531", "eid": 2737, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,593", "eid": 2738, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,593", "eid": 2739, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,593", "eid": 2740, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,765", "eid": 2741, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,765", "eid": 2742, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,765", "eid": 2743, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,781", "eid": 2744, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,781", "eid": 2745, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,781", "eid": 2746, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,781", "eid": 2747, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,781", "eid": 2748, "data": { "file": "msiso.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,797", "eid": 2749, "data": { "file": "msiso.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,843", "eid": 2750, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,843", "eid": 2751, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,843", "eid": 2752, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,859", "eid": 2753, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,859", "eid": 2754, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:05,859", "eid": 2755, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:06,062", "eid": 2756, "data": { "file": "DDRAW.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:06,062", "eid": 2757, "data": { "file": "D3D8.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:06,062", "eid": 2758, "data": { "file": "D3D9.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:06,062", "eid": 2759, "data": { "file": "api-ms-win-eventing-provider-l1-1-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "execute", "object": "file", "timestamp": "2026-06-29 22:15:07,343", "eid": 2760, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,343", "eid": 2761, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,359", "eid": 2762, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,359", "eid": 2763, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,359", "eid": 2764, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "execute", "object": "file", "timestamp": "2026-06-29 22:15:07,390", "eid": 2765, "data": { "file": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2766, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2767, "data": { "file": "kernelbase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2768, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2769, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2770, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2771, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2772, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2773, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2774, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2775, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2776, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2777, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2778, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2779, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2780, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2781, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:07,531", "eid": 2782, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 22:15:11,113", "eid": 2783, "data": { "file": "C:\\Windows\\System32\\rsaenh.dll", "pathtofile": null, "moduleaddress": "0x7ff9a7170000" } } ], "encryptedbuffers": [], "network_map": { "endpoint_map": {}, "http_host_map": {}, "dns_intents": {}, "http_requests": [], "winhttp_sessions": [], "com_activations": [] } }, "debug": { "log": "2026-06-29 14:58:59,665 [root] INFO: Date set to: 20260629T15:14:46, timeout set to: 200\n2026-06-29 15:14:46,073 [root] DEBUG: Starting analyzer from: C:\\2_6me6uj\n2026-06-29 15:14:46,074 [root] DEBUG: Storing results at: C:\\QonFocsg\n2026-06-29 15:14:46,075 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\ZkVqIBDyaH\n2026-06-29 15:14:46,076 [root] DEBUG: Python path: C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\n2026-06-29 15:14:46,077 [root] INFO: analysis running as an admin\n2026-06-29 15:14:46,077 [root] INFO: analysis package specified: \"exe\"\n2026-06-29 15:14:46,077 [root] DEBUG: importing analysis package module: \"modules.packages.exe\"...\n2026-06-29 15:14:46,087 [root] DEBUG: imported analysis package \"exe\"\n2026-06-29 15:14:46,087 [root] DEBUG: initializing analysis package \"exe\"...\n2026-06-29 15:14:46,088 [lib.common.common] INFO: no wrapping\n2026-06-29 15:14:46,088 [lib.core.compound] INFO: C:\\Users\\Rajesh\\AppData\\Local\\Temp already exists, skipping creation\n2026-06-29 15:14:46,089 [root] DEBUG: New location of moved file: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe\n2026-06-29 15:14:46,090 [root] INFO: Analyzer: Package modules.packages.exe does not specify a dll option\n2026-06-29 15:14:46,090 [root] INFO: Analyzer: Package modules.packages.exe does not specify a dll_64 option\n2026-06-29 15:14:46,092 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option\n2026-06-29 15:14:46,095 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option\n2026-06-29 15:14:46,111 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2026-06-29 15:14:46,131 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2026-06-29 15:14:46,154 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2026-06-29 15:14:46,178 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2026-06-29 15:14:46,187 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2026-06-29 15:14:46,188 [lib.api.screenshot] ERROR: No module named 'PIL'\n2026-06-29 15:14:46,189 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2026-06-29 15:14:46,192 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2026-06-29 15:14:46,192 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2026-06-29 15:14:46,192 [root] DEBUG: attempting to configure 'Browser' from data\n2026-06-29 15:14:46,193 [root] DEBUG: module Browser does not support data configuration, ignoring\n2026-06-29 15:14:46,193 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2026-06-29 15:14:46,194 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2026-06-29 15:14:46,194 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2026-06-29 15:14:46,195 [root] DEBUG: attempting to configure 'DigiSig' from data\n2026-06-29 15:14:46,195 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2026-06-29 15:14:46,195 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2026-06-29 15:14:46,195 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2026-06-29 15:14:46,476 [modules.auxiliary.digisig] DEBUG: File has an invalid signature\n2026-06-29 15:14:46,481 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2026-06-29 15:14:46,494 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2026-06-29 15:14:46,495 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2026-06-29 15:14:46,495 [root] DEBUG: attempting to configure 'Disguise' from data\n2026-06-29 15:14:46,496 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2026-06-29 15:14:46,496 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2026-06-29 15:14:46,503 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 3684)\n2026-06-29 15:14:46,510 [modules.auxiliary.disguise] INFO: Disguising GUID to d73b513f-eceb-4129-91ef-bee036b2d2d9\n2026-06-29 15:14:46,510 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2026-06-29 15:14:46,511 [root] DEBUG: Initialized auxiliary module \"Human\"\n2026-06-29 15:14:46,511 [root] DEBUG: attempting to configure 'Human' from data\n2026-06-29 15:14:46,512 [root] DEBUG: module Human does not support data configuration, ignoring\n2026-06-29 15:14:46,512 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2026-06-29 15:14:46,516 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2026-06-29 15:14:46,516 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2026-06-29 15:14:46,516 [root] DEBUG: attempting to configure 'Screenshots' from data\n2026-06-29 15:14:46,517 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2026-06-29 15:14:46,517 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2026-06-29 15:14:46,527 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled\n2026-06-29 15:14:46,527 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2026-06-29 15:14:46,528 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2026-06-29 15:14:46,528 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2026-06-29 15:14:46,529 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2026-06-29 15:14:46,529 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2026-06-29 15:14:46,542 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process\n2026-06-29 15:14:46,545 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2026-06-29 15:14:52,542 [root] INFO: Restarting WMI Service\n2026-06-29 15:14:54,754 [root] DEBUG: package modules.packages.exe does not support configure, ignoring\n2026-06-29 15:14:54,756 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'\n2026-06-29 15:14:54,758 [lib.core.compound] INFO: C:\\Users\\Rajesh\\AppData\\Local\\Temp already exists, skipping creation\n2026-06-29 15:14:54,769 [lib.api.process] INFO: Successfully executed process from path \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe\" with arguments \"\" with pid 3236\n2026-06-29 15:14:54,770 [lib.api.process] INFO: Monitor config for process 3236: C:\\2_6me6uj\\dll\\3236.ini\n2026-06-29 15:14:54,790 [lib.api.process] INFO: 32-bit DLL to inject is C:\\2_6me6uj\\dll\\xTbXXGg.dll, loader C:\\2_6me6uj\\bin\\PZVebbf.exe\n2026-06-29 15:14:54,819 [root] DEBUG: Loader: Injecting process 3236 (thread 5028) with C:\\2_6me6uj\\dll\\xTbXXGg.dll.\n2026-06-29 15:14:54,821 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-29 15:14:54,822 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\xTbXXGg.dll.\n2026-06-29 15:14:54,825 [lib.api.process] INFO: Injected into 32-bit \n2026-06-29 15:14:56,839 [lib.api.process] INFO: Successfully resumed process with pid 3236\n2026-06-29 15:14:56,870 [root] DEBUG: 3236: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-29 15:14:56,875 [root] DEBUG: 3236: Disabling sleep skipping.\n2026-06-29 15:14:56,876 [root] DEBUG: 3236: Dropped file limit defaulting to 100.\n2026-06-29 15:14:56,906 [root] DEBUG: 3236: YaraInit: Compiled 44 rule files\n2026-06-29 15:14:56,911 [root] DEBUG: 3236: YaraInit: Compiled rules saved to file C:\\2_6me6uj\\data\\yara\\capemon.yac\n2026-06-29 15:14:56,913 [root] DEBUG: 3236: YaraScan: Scanning 0x00400000, size 0x40352\n2026-06-29 15:14:56,919 [root] DEBUG: 3236: Monitor initialised: 32-bit capemon loaded in process 3236 at 0x74330000, thread 5028, image base 0x400000, stack from 0x192000-0x1a0000\n2026-06-29 15:14:56,920 [root] DEBUG: 3236: Commandline: \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe\"\n2026-06-29 15:14:56,988 [root] DEBUG: 3236: hook_api: LdrpCallInitRoutine export address 0x76F72980 obtained via GetFunctionAddress\n2026-06-29 15:14:57,021 [root] DEBUG: 3236: hook_api: Warning - SetWindowLongW export address 0x75D57CC0 differs from GetProcAddress -> 0x74645820 (apphelp.dll::0xfe925820)\n2026-06-29 15:14:57,022 [root] DEBUG: 3236: hook_api: Warning - EnumDisplayDevicesA export address 0x75D4BE40 differs from GetProcAddress -> 0x746465C0 (apphelp.dll::0xfe9265c0)\n2026-06-29 15:14:57,023 [root] DEBUG: 3236: hook_api: Warning - EnumDisplayDevicesW export address 0x75D62430 differs from GetProcAddress -> 0x7466E230 (apphelp.dll::0xfe94e230)\n2026-06-29 15:14:57,026 [root] DEBUG: 3236: hook_api: Trampoline creation failed for GetCommandLineA, retrying with HOOK_SAFEST\n2026-06-29 15:14:57,027 [root] DEBUG: 3236: hook_api: Trampoline creation failed for GetCommandLineW, retrying with HOOK_SAFEST\n2026-06-29 15:14:57,052 [root] DEBUG: 3236: Hooked 635 out of 635 functions\n2026-06-29 15:14:57,056 [root] DEBUG: 3236: Syscall hook installed, syscall logging level 1\n2026-06-29 15:14:57,065 [root] DEBUG: 3236: RestoreHeaders: Restored original import table.\n2026-06-29 15:14:57,070 [root] INFO: Loaded monitor into process with pid 3236\n2026-06-29 15:14:57,082 [root] DEBUG: 3236: caller_dispatch: Added region at 0x00400000 to tracked regions list (ntdll::NtQueryInformationToken returns to 0x0040A56A, thread 5028).\n2026-06-29 15:14:57,083 [root] DEBUG: 3236: YaraScan: Scanning 0x00400000, size 0x40352\n2026-06-29 15:14:57,089 [root] DEBUG: 3236: ProcessImageBase: Main module image at 0x00400000 unmodified (entropy change 0.000000e+00)\n2026-06-29 15:14:57,459 [root] DEBUG: 3236: YaraScan: Scanning 0x00400000, size 0x40352\n2026-06-29 15:14:57,466 [root] DEBUG: 3236: ProcessImageBase: Main module image at 0x00400000 unmodified (entropy change 3.881991e-03)\n2026-06-29 15:14:58,830 [root] DEBUG: 3236: ProtectionHandler: Adding region at 0x03A20000 to tracked regions.\n2026-06-29 15:14:58,831 [root] DEBUG: 3236: ProtectionHandler: Processing previous tracked region at: 0x00400000.\n2026-06-29 15:14:58,833 [root] DEBUG: 3236: YaraScan: Scanning 0x00400000, size 0x40352\n2026-06-29 15:14:58,839 [root] DEBUG: 3236: ProcessImageBase: Modified image detected at image base 0x00400000 - new entropy 6.745340e+00 (change 4.785100e-02).\n2026-06-29 15:14:58,840 [root] DEBUG: 3236: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-06-29 15:14:58,841 [root] DEBUG: 3236: DumpProcess: Instantiating PeParser with address: 0x00400000.\n2026-06-29 15:14:58,842 [root] DEBUG: 3236: DumpProcess: Module entry point VA is 0x0040A3B6.\n2026-06-29 15:14:58,856 [lib.common.results] INFO: Uploading file C:\\QonFocsg\\CAPE\\3236_1522660458142229162026 to CAPE\\adb989d8481e5421abf199419fc23b92092bbd0cb4e6f3389a18bd1b63b0da6e; Size is 251904; Max size: 100000000\n2026-06-29 15:14:58,873 [root] DEBUG: 3236: DumpProcess: Module image dump success - dump size 0x3d800.\n2026-06-29 15:14:59,099 [root] DEBUG: 3236: ProtectionHandler: Processing previous tracked region at: 0x03A20000.\n2026-06-29 15:14:59,100 [root] DEBUG: 3236: ProcessTrackedRegion: Entropy for tracked region at 0x03A20000: 6.791808e+00\n2026-06-29 15:14:59,101 [root] DEBUG: 3236: DumpPEsInRange: Scanning range 0x03A20000 - 0x03A60352.\n2026-06-29 15:14:59,102 [root] DEBUG: 3236: ScanForDisguisedPE: PE image located at: 0x03A20000\n2026-06-29 15:14:59,103 [root] DEBUG: 3236: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-06-29 15:14:59,104 [root] DEBUG: 3236: DumpProcess: Instantiating PeParser with address: 0x03A20000.\n2026-06-29 15:14:59,105 [root] DEBUG: 3236: DumpProcess: Module entry point VA is 0x03A2A3B6.\n2026-06-29 15:14:59,116 [lib.common.results] INFO: Uploading file C:\\QonFocsg\\CAPE\\3236_305877659142229162026 to CAPE\\adb989d8481e5421abf199419fc23b92092bbd0cb4e6f3389a18bd1b63b0da6e; Size is 251904; Max size: 100000000\n2026-06-29 15:14:59,122 [root] DEBUG: 3236: DumpProcess: Module image dump success - dump size 0x3d800.\n2026-06-29 15:14:59,124 [root] DEBUG: 3236: ScanForDisguisedPE: No PE image located in range 0x03A21000-0x03A60352.\n2026-06-29 15:14:59,125 [root] DEBUG: 3236: DumpRegion: Dumped PE image(s) from base address 0x03A20000, size 266240 bytes.\n2026-06-29 15:14:59,125 [root] DEBUG: 3236: ProcessTrackedRegion: Dumped region at 0x03A20000.\n2026-06-29 15:14:59,126 [root] DEBUG: 3236: YaraScan: Scanning 0x03A20000, size 0x40352\n2026-06-29 15:14:59,132 [root] DEBUG: 3236: YaraScan: Scanning 0x00400000, size 0x40352\n2026-06-29 15:14:59,136 [root] DEBUG: 3236: ProcessImageBase: Main module image at 0x00400000 unmodified (entropy change 0.000000e+00)\n2026-06-29 15:14:59,180 [root] DEBUG: 3236: api-rate-cap: LdrGetProcedureAddressForCaller hook disabled due to rate\n2026-06-29 15:14:59,686 [root] DEBUG: 3236: api-cap: LdrLoadDll hook disabled due to count: 5000\n2026-06-29 15:15:00,990 [root] DEBUG: 3236: YaraScan: Scanning 0x00400000, size 0x40352\n2026-06-29 15:15:01,000 [root] DEBUG: 3236: ProcessImageBase: Main module image at 0x00400000 unmodified (entropy change 0.000000e+00)\n2026-06-29 15:15:01,007 [root] DEBUG: 3236: YaraScan: Scanning 0x00400000, size 0x2044e\n2026-06-29 15:15:01,013 [root] DEBUG: 3236: ProcessImageBase: Modified entry point (0x00001E65) detected at image base 0x00400000 - dumping.\n2026-06-29 15:15:01,014 [root] DEBUG: 3236: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-06-29 15:15:01,016 [root] DEBUG: 3236: DumpProcess: Instantiating PeParser with address: 0x00400000.\n2026-06-29 15:15:01,018 [root] DEBUG: 3236: DumpProcess: Module entry point VA is 0x00401E65.\n2026-06-29 15:15:01,025 [lib.common.results] INFO: Uploading file C:\\QonFocsg\\CAPE\\3236_2898721152229162026 to CAPE\\a43ce4486c8db93856fea66c4d232300ac5cba7ea8aa8f171936d6acd9ef7238; Size is 118272; Max size: 100000000\n2026-06-29 15:15:01,050 [root] DEBUG: 3236: DumpProcess: Module image dump success - dump size 0x1ce00.\n2026-06-29 15:15:01,058 [root] DEBUG: 3236: DLL loaded at 0x74290000: C:\\Windows\\system32\\mswsock (0x52000 bytes).\n2026-06-29 15:15:01,073 [root] DEBUG: 3236: DLL loaded at 0x74270000: C:\\Windows\\SYSTEM32\\CRYPTSP (0x13000 bytes).\n2026-06-29 15:15:01,077 [root] DEBUG: 3236: DLL loaded at 0x74240000: C:\\Windows\\system32\\rsaenh (0x2f000 bytes).\n2026-06-29 15:15:01,079 [root] DEBUG: 3236: DLL loaded at 0x769D0000: C:\\Windows\\System32\\bcryptPrimitives (0x5f000 bytes).\n2026-06-29 15:15:01,126 [root] INFO: Added new file to list with pid 3236 and path C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\❤≸⋙\\Ⱒ☠⍨\\‮ﯹ๛\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\GoogleUpdate.exe\n2026-06-29 15:15:01,162 [root] INFO: Added new file to list with pid 3236 and path C:\\Users\\Rajesh\\AppData\\Local\\Temp\\msimg32.dll\n2026-06-29 15:15:01,173 [root] INFO: Added new file to list with pid 3236 and path C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe\n2026-06-29 15:15:01,177 [root] DEBUG: 3236: DLL loaded at 0x755E0000: C:\\Windows\\System32\\SHCORE (0x87000 bytes).\n2026-06-29 15:15:01,185 [root] DEBUG: 3236: DLL loaded at 0x746B0000: C:\\Windows\\SYSTEM32\\Wldp (0x24000 bytes).\n2026-06-29 15:15:01,188 [root] DEBUG: 3236: DLL loaded at 0x746E0000: C:\\Windows\\SYSTEM32\\windows.storage (0x608000 bytes).\n2026-06-29 15:15:01,197 [root] DEBUG: 3236: DLL loaded at 0x74CF0000: C:\\Windows\\SYSTEM32\\kernel.appcore (0xf000 bytes).\n2026-06-29 15:15:01,205 [root] DEBUG: 3236: DLL loaded at 0x741C0000: C:\\Windows\\system32\\uxtheme (0x74000 bytes).\n2026-06-29 15:15:01,223 [root] DEBUG: 3236: DLL loaded at 0x740F0000: C:\\Windows\\SYSTEM32\\PROPSYS (0xc2000 bytes).\n2026-06-29 15:15:01,240 [root] DEBUG: 3236: DLL loaded at 0x76A30000: C:\\Windows\\System32\\clbcatq (0x7e000 bytes).\n2026-06-29 15:15:01,346 [root] DEBUG: 3236: DLL loaded at 0x740D0000: C:\\Windows\\SYSTEM32\\profapi (0x18000 bytes).\n2026-06-29 15:15:01,811 [root] DEBUG: 3236: api-rate-cap: NtQueryValueKey hook disabled due to rate\n2026-06-29 15:15:01,866 [root] DEBUG: 3236: DLL loaded at 0x75720000: C:\\Windows\\System32\\CFGMGR32 (0x3b000 bytes).\n2026-06-29 15:15:01,984 [root] DEBUG: 3236: DLL loaded at 0x740A0000: C:\\Windows\\system32\\twext (0x29000 bytes).\n2026-06-29 15:15:02,002 [root] DEBUG: 3236: InstrumentationCallback: Added region at 0x751524AC (base 0x75130000) to tracked regions list (thread 168).\n2026-06-29 15:15:02,011 [root] DEBUG: 3236: ProcessTrackedRegion: Region at 0x75130000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-06-29 15:15:02,024 [root] DEBUG: 3236: DLL loaded at 0x73E90000: C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\\comctl32 (0x210000 bytes).\n2026-06-29 15:15:02,038 [root] DEBUG: 3236: ProcessTrackedRegion: Region at 0x75130000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-06-29 15:15:02,598 [lib.api.process] INFO: Monitor config for process 756: C:\\2_6me6uj\\dll\\756.ini\n2026-06-29 15:15:02,608 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\sssfxwQ.dll, loader C:\\2_6me6uj\\bin\\fKGEvqpn.exe\n2026-06-29 15:15:02,641 [root] DEBUG: Loader: Injecting process 756 with C:\\2_6me6uj\\dll\\sssfxwQ.dll.\n2026-06-29 15:15:02,650 [root] DEBUG: 756: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-29 15:15:02,652 [root] DEBUG: 756: Disabling sleep skipping.\n2026-06-29 15:15:02,653 [root] DEBUG: 756: Dropped file limit defaulting to 100.\n2026-06-29 15:15:02,660 [root] DEBUG: 756: Services hook set enabled\n2026-06-29 15:15:02,666 [root] DEBUG: 756: YaraInit: Compiled rules loaded from existing file C:\\2_6me6uj\\data\\yara\\capemon.yac\n2026-06-29 15:15:02,730 [root] DEBUG: 756: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0\n2026-06-29 15:15:02,731 [root] DEBUG: 756: Monitor initialised: 64-bit capemon loaded in process 756 at 0x00007FF987A90000, thread 4612, image base 0x00007FF69D480000, stack from 0x00000036AC4F4000-0x00000036AC500000\n2026-06-29 15:15:02,732 [root] DEBUG: 756: Commandline: C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p\n2026-06-29 15:15:02,762 [root] DEBUG: 756: Hooked 69 out of 69 functions\n2026-06-29 15:15:02,765 [root] INFO: Loaded monitor into process with pid 756\n2026-06-29 15:15:02,768 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2026-06-29 15:15:02,772 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\sssfxwQ.dll.\n2026-06-29 15:15:02,776 [lib.api.process] INFO: Injected into 64-bit \n2026-06-29 15:15:04,847 [root] DEBUG: 3236: DLL loaded at 0x73DF0000: C:\\Windows\\System32\\Windows.StateRepositoryPS (0x93000 bytes).\n2026-06-29 15:15:04,900 [root] DEBUG: 3236: DLL loaded at 0x73D20000: C:\\Windows\\System32\\Bcp47Langs (0x49000 bytes).\n2026-06-29 15:15:04,904 [root] DEBUG: 3236: DLL loaded at 0x73CB0000: C:\\Windows\\System32\\sppc (0x1c000 bytes).\n2026-06-29 15:15:04,906 [root] DEBUG: 3236: DLL loaded at 0x73D00000: C:\\Windows\\System32\\SLC (0x1f000 bytes).\n2026-06-29 15:15:04,907 [root] DEBUG: 3236: DLL loaded at 0x73CD0000: C:\\Windows\\System32\\USERENV (0x25000 bytes).\n2026-06-29 15:15:04,908 [root] DEBUG: 3236: DLL loaded at 0x73D70000: C:\\Windows\\System32\\appresolver (0x71000 bytes).\n2026-06-29 15:15:05,026 [root] DEBUG: 3236: DLL loaded at 0x73BB0000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x65000 bytes).\n2026-06-29 15:15:05,028 [root] DEBUG: 3236: DLL loaded at 0x73C20000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-06-29 15:15:05,255 [root] DEBUG: 3236: DLL loaded at 0x73B50000: C:\\Windows\\system32\\ntshrui (0x5c000 bytes).\n2026-06-29 15:15:05,300 [root] DEBUG: 3236: DLL loaded at 0x73B00000: C:\\Windows\\System32\\Windows.FileExplorer.Common (0x4a000 bytes).\n2026-06-29 15:15:05,315 [root] DEBUG: 3236: DLL loaded at 0x738D0000: C:\\Windows\\System32\\iertutil (0x22b000 bytes).\n2026-06-29 15:15:05,342 [root] DEBUG: 3236: ProcessTrackedRegion: Region at 0x75130000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-06-29 15:15:05,352 [root] DEBUG: 3236: DLL loaded at 0x738B0000: C:\\Windows\\system32\\srvcli (0x1d000 bytes).\n2026-06-29 15:15:05,369 [root] DEBUG: 3236: DLL loaded at 0x738A0000: C:\\Windows\\SYSTEM32\\cscapi (0xe000 bytes).\n2026-06-29 15:15:05,376 [root] DEBUG: 3236: DLL loaded at 0x73890000: C:\\Windows\\system32\\netutils (0xb000 bytes).\n2026-06-29 15:15:05,408 [root] DEBUG: 3236: DLL loaded at 0x73870000: C:\\Windows\\System32\\shacct (0x1f000 bytes).\n2026-06-29 15:15:05,418 [root] DEBUG: 3236: DLL loaded at 0x73840000: C:\\Windows\\System32\\IDStore (0x22000 bytes).\n2026-06-29 15:15:05,427 [root] DEBUG: 3236: DLL loaded at 0x736B0000: C:\\Windows\\System32\\twinapi.appcore (0x18f000 bytes).\n2026-06-29 15:15:05,433 [root] DEBUG: 3236: DLL loaded at 0x73690000: C:\\Windows\\System32\\SAMLIB (0x1b000 bytes).\n2026-06-29 15:15:05,448 [root] DEBUG: 3236: DLL loaded at 0x735F0000: C:\\Windows\\SYSTEM32\\TextShaping (0x94000 bytes).\n2026-06-29 15:15:05,477 [root] DEBUG: 3236: DLL loaded at 0x735D0000: C:\\Program Files\\7-Zip\\7-zip32 (0x15000 bytes).\n2026-06-29 15:15:05,492 [root] DEBUG: 3236: DLL loaded at 0x73520000: C:\\Windows\\System32\\samcli (0x15000 bytes).\n2026-06-29 15:15:05,498 [root] DEBUG: 3236: DLL loaded at 0x73540000: C:\\Windows\\System32\\wlidprov (0x86000 bytes).\n2026-06-29 15:15:05,523 [root] DEBUG: 3236: DLL loaded at 0x734B0000: C:\\Windows\\System32\\provsvc (0x62000 bytes).\n2026-06-29 15:15:05,541 [root] DEBUG: 3236: ProcessTrackedRegion: Region at 0x75130000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-06-29 15:15:05,556 [root] DEBUG: 3236: DLL loaded at 0x66680000: C:\\Windows\\system32\\sfc (0x3000 bytes).\n2026-06-29 15:15:05,557 [root] DEBUG: 3236: DLL loaded at 0x731F0000: C:\\Windows\\system32\\msi (0x291000 bytes).\n2026-06-29 15:15:05,558 [root] DEBUG: 3236: DLL loaded at 0x73140000: C:\\Windows\\SYSTEM32\\ntmarta (0x29000 bytes).\n2026-06-29 15:15:05,571 [root] DEBUG: 3236: DLL loaded at 0x73170000: C:\\Windows\\system32\\AEPIC (0x78000 bytes).\n2026-06-29 15:15:05,573 [root] DEBUG: 3236: DLL loaded at 0x73130000: C:\\Windows\\system32\\sfc_os (0xf000 bytes).\n2026-06-29 15:15:05,574 [root] DEBUG: 3236: DLL loaded at 0x73490000: C:\\Windows\\system32\\acppage (0x14000 bytes).\n2026-06-29 15:15:05,595 [root] DEBUG: 3236: ProcessTrackedRegion: Region at 0x75130000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-06-29 15:15:05,607 [root] DEBUG: 3236: DLL loaded at 0x76AB0000: C:\\Windows\\System32\\SETUPAPI (0x43c000 bytes).\n2026-06-29 15:15:05,722 [root] DEBUG: 3236: ProcessTrackedRegion: Region at 0x75130000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-06-29 15:15:05,767 [root] DEBUG: 3236: DLL loaded at 0x73110000: C:\\Windows\\SYSTEM32\\edputil (0x1b000 bytes).\n2026-06-29 15:15:05,780 [root] DEBUG: 3236: DLL loaded at 0x72F60000: C:\\Windows\\SYSTEM32\\urlmon (0x1a8000 bytes).\n2026-06-29 15:15:05,809 [root] DEBUG: 3236: DLL loaded at 0x72E80000: C:\\Windows\\System32\\wintypes (0xdb000 bytes).\n2026-06-29 15:15:05,836 [root] DEBUG: 3236: DLL loaded at 0x72E40000: C:\\Windows\\System32\\OneCoreCommonProxyStub (0x3d000 bytes).\n2026-06-29 15:15:05,851 [root] DEBUG: 3236: DLL loaded at 0x72A90000: C:\\Windows\\System32\\OneCoreUAPCommonProxyStub (0x3a1000 bytes).\n2026-06-29 15:15:05,866 [root] DEBUG: 3236: DLL loaded at 0x72A70000: C:\\Windows\\SYSTEM32\\MPR (0x19000 bytes).\n2026-06-29 15:15:06,068 [root] DEBUG: 3236: DLL loaded at 0x72A50000: C:\\Windows\\SYSTEM32\\pcacli (0x11000 bytes).\n2026-06-29 15:15:06,070 [root] INFO: Announced 32-bit process name: InstallFlashPlayer.exe pid: 3760\n2026-06-29 15:15:06,070 [lib.api.process] INFO: Monitor config for process 3760: C:\\2_6me6uj\\dll\\3760.ini\n2026-06-29 15:15:07,331 [lib.api.process] INFO: Potential dll side-loading detected in local directory: msimg32.dll\n2026-06-29 15:15:07,343 [lib.api.process] INFO: 32-bit DLL to sideload is C:\\Users\\Rajesh\\AppData\\Local\\Temp\\capemon.dll, sideloader C:\\Users\\Rajesh\\AppData\\Local\\Temp\\version.dll\n2026-06-29 15:15:07,366 [root] DEBUG: 3236: CreateProcessHandler: Injection info set for new process 2144: C:\\Windows\\system32\\cmd.exe, ImageBase: 0x00010000\n2026-06-29 15:15:07,367 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2144\n2026-06-29 15:15:07,367 [lib.api.process] INFO: Monitor config for process 2144: C:\\2_6me6uj\\dll\\2144.ini\n2026-06-29 15:15:07,370 [lib.api.process] INFO: 32-bit DLL to inject is C:\\2_6me6uj\\dll\\xTbXXGg.dll, loader C:\\2_6me6uj\\bin\\PZVebbf.exe\n2026-06-29 15:15:07,385 [root] DEBUG: Loader: Injecting process 2144 (thread 2492) with C:\\2_6me6uj\\dll\\xTbXXGg.dll.\n2026-06-29 15:15:07,387 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-29 15:15:07,389 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\xTbXXGg.dll.\n2026-06-29 15:15:07,391 [lib.api.process] INFO: Injected into 32-bit \n2026-06-29 15:15:07,395 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2144\n2026-06-29 15:15:07,396 [lib.api.process] INFO: Monitor config for process 2144: C:\\2_6me6uj\\dll\\2144.ini\n2026-06-29 15:15:07,398 [lib.api.process] INFO: 32-bit DLL to inject is C:\\2_6me6uj\\dll\\xTbXXGg.dll, loader C:\\2_6me6uj\\bin\\PZVebbf.exe\n2026-06-29 15:15:07,414 [root] DEBUG: Loader: Injecting process 2144 with C:\\2_6me6uj\\dll\\xTbXXGg.dll.\n2026-06-29 15:15:07,416 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=2).\n2026-06-29 15:15:07,418 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\xTbXXGg.dll.\n2026-06-29 15:15:07,454 [root] DEBUG: 3236: NtTerminateProcess hook: Attempting to dump process 3236\n2026-06-29 15:15:07,482 [root] DEBUG: 3236: DoProcessDump: Code modification detected, dumping Imagebase at 0x00400000.\n2026-06-29 15:15:07,488 [root] DEBUG: 3236: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-06-29 15:15:07,489 [root] DEBUG: 2144: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-29 15:15:07,490 [root] DEBUG: 3236: DumpProcess: Instantiating PeParser with address: 0x00400000.\n2026-06-29 15:15:07,491 [root] DEBUG: 2144: Dropped file limit defaulting to 100.\n2026-06-29 15:15:07,492 [root] DEBUG: 3236: DumpProcess: Module entry point VA is 0x00401E65.\n2026-06-29 15:15:07,508 [lib.common.results] INFO: Uploading file C:\\QonFocsg\\CAPE\\3236_202137152229162026 to procdump\\2dcf5c2511d637876e9187cd2de67e372bd8f1c2f13ef79dfa110ba47df26ef4; Size is 118784; Max size: 100000000\n2026-06-29 15:15:07,511 [root] DEBUG: 2144: Disabling sleep skipping.\n2026-06-29 15:15:07,513 [root] DEBUG: 3236: DumpProcess: Module image dump success - dump size 0x1d000.\n2026-06-29 15:15:07,519 [root] DEBUG: 2144: YaraInit: Compiled rules loaded from existing file C:\\2_6me6uj\\data\\yara\\capemon.yac\n2026-06-29 15:15:07,520 [root] DEBUG: 3236: YaraScan: Scanning 0x00400000, size 0x2044e\n2026-06-29 15:15:07,523 [root] DEBUG: 2144: YaraScan: Scanning 0x00010000, size 0x595ee\n2026-06-29 15:15:07,528 [root] DEBUG: 3236: ProcessImageBase: Main module image at 0x00400000 unmodified (entropy change 7.228308e-04)\n2026-06-29 15:15:07,635 [root] DEBUG: 2144: YaraScan hit: FindFixAndRun\n2026-06-29 15:15:07,681 [root] INFO: Process with pid 3236 has terminated\n2026-06-29 15:15:07,746 [root] DEBUG: 2144: Monitor initialised: 32-bit capemon loaded in process 2144 at 0x74330000, thread 2492, image base 0x10000, stack from 0x2e43000-0x2f40000\n2026-06-29 15:15:07,779 [root] DEBUG: 2144: Commandline: \"C:\\Windows\\system32\\cmd.exe\"\n2026-06-29 15:15:07,839 [root] DEBUG: 2144: hook_api: LdrpCallInitRoutine export address 0x76F72980 obtained via GetFunctionAddress\n2026-06-29 15:15:07,999 [root] DEBUG: 2144: hook_api: Trampoline creation failed for GetCommandLineA, retrying with HOOK_SAFEST\n2026-06-29 15:15:08,046 [root] DEBUG: 2144: hook_api: Trampoline creation failed for GetCommandLineW, retrying with HOOK_SAFEST\n2026-06-29 15:15:08,099 [root] DEBUG: 2144: Hooked 635 out of 635 functions\n2026-06-29 15:15:08,158 [root] DEBUG: 2144: set_hooks_exe: Hooked FindFixAndRun at 0x0001AD60\n2026-06-29 15:15:08,221 [root] DEBUG: 2144: Syscall hook installed, syscall logging level 1\n2026-06-29 15:15:08,261 [root] DEBUG: 2144: RestoreHeaders: Restored original import table.\n2026-06-29 15:15:08,279 [root] INFO: Loaded monitor into process with pid 2144\n2026-06-29 15:15:09,334 [root] INFO: Error dumping file from path \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\invoice_231836298371.exe\": [Errno 13] Permission denied: 'C:\\\\Users\\\\Rajesh\\\\AppData\\\\Local\\\\Temp\\\\invoice_231836298371.exe'\n2026-06-29 15:15:09,535 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:09,590 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:09,655 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:09,703 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:09,750 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:09,796 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:09,843 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:09,889 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:09,936 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:09,983 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:10,030 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:10,077 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:10,124 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:10,170 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:10,219 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:10,268 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:10,311 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:10,353 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:10,356 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:15:10,397 [root] DEBUG: Error 87 (0x57) - AddTrackedRegion: unable to query memory region 0x7FFF0000: The parameter is incorrect.\n2026-06-29 15:18:16,869 [root] INFO: Analysis timeout hit, terminating analysis\n2026-06-29 15:18:16,872 [lib.api.process] INFO: Terminate event set for process 756\n2026-06-29 15:18:16,873 [root] DEBUG: 756: Terminate Event: Attempting to dump process 756\n2026-06-29 15:18:16,875 [root] DEBUG: 756: DoProcessDump: Skipping process dump as code is identical on disk.\n2026-06-29 15:18:16,884 [lib.api.process] INFO: Termination confirmed for process 756\n2026-06-29 15:18:16,884 [root] INFO: Terminate event set for process 756\n2026-06-29 15:18:16,886 [lib.api.process] INFO: Terminate event set for process 2144\n2026-06-29 15:18:16,887 [root] DEBUG: 756: Terminate Event: monitor shutdown complete for process 756\n2026-06-29 15:18:16,888 [root] DEBUG: 2144: Terminate Event: Attempting to dump process 2144\n2026-06-29 15:18:16,890 [root] DEBUG: 2144: VerifyCodeSection: Executable code does not match, 0x9d62 of 0x2bfcb matching\n2026-06-29 15:18:16,891 [root] DEBUG: 2144: DoProcessDump: Code modification detected, dumping Imagebase at 0x00010000.\n2026-06-29 15:18:16,893 [root] DEBUG: 2144: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-06-29 15:18:16,894 [root] DEBUG: 2144: DumpProcess: Instantiating PeParser with address: 0x00010000.\n2026-06-29 15:18:16,895 [root] DEBUG: 2144: DumpProcess: Module entry point VA is 0x00026B20.\n2026-06-29 15:18:16,920 [lib.common.results] INFO: Uploading file C:\\QonFocsg\\CAPE\\2144_3685916182229162026 to procdump\\7774c21f9b371c18e10f473e8877e6dbe52fd2b55d81b5204b3f17586de58d5e; Size is 236032; Max size: 100000000\n2026-06-29 15:18:16,930 [root] DEBUG: 2144: DumpProcess: Module image dump success - dump size 0x39a00.\n2026-06-29 15:18:16,935 [root] DEBUG: 2144: Terminate Event: Shutdown complete for process 2144 but failed to inform analyzer.\n2026-06-29 15:18:21,890 [lib.api.process] INFO: Termination confirmed for process 2144\n2026-06-29 15:18:21,892 [root] INFO: Terminate event set for process 2144\n2026-06-29 15:18:21,892 [root] INFO: Created shutdown mutex\n2026-06-29 15:18:22,906 [root] INFO: Shutting down package\n2026-06-29 15:18:22,907 [root] INFO: Stopping auxiliary modules\n2026-06-29 15:18:22,907 [root] INFO: Stopping auxiliary module: Browser\n2026-06-29 15:18:22,908 [root] INFO: Stopping auxiliary module: Human\n2026-06-29 15:18:23,783 [root] INFO: Stopping auxiliary module: Screenshots\n2026-06-29 15:18:23,784 [root] INFO: Finishing auxiliary modules\n2026-06-29 15:18:23,784 [root] INFO: Shutting down pipe server and dumping dropped files\n2026-06-29 15:18:23,788 [lib.common.results] INFO: Uploading file C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\❤≸⋙\\Ⱒ☠⍨\\‮ﯹ๛\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\GoogleUpdate.exe to files\\69e966e730557fde8fd84317cdef1ece00a8bb3470c0b58f3231e170168af169; Size is 252928; Max size: 100000000\n2026-06-29 15:18:23,797 [root] WARNING: File at path c:\\users\\rajesh\\appdata\\local\\temp\\msimg32.dll does not exist, skipping\n2026-06-29 15:18:23,800 [lib.common.results] INFO: Uploading file C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe to files\\672ec8dceafd429c1a09cfafbc4951968953e2081e0d97243040db16edb24429; Size is 89248; Max size: 100000000\n2026-06-29 15:18:23,805 [root] WARNING: Folder at path \"C:\\QonFocsg\\debugger\" does not exist, skipping\n2026-06-29 15:18:23,806 [root] WARNING: Folder at path \"C:\\QonFocsg\\tlsdump\" does not exist, skipping\n2026-06-29 15:18:23,813 [root] WARNING: Monitor injection attempted but failed for process 3760\n2026-06-29 15:18:23,814 [root] INFO: Analysis completed\n", "errors": [] }, "network": { "pcap_sha256": "06e5bebdff6d156993c5368ef88bf0a917ae51d479c1558fee5f954a114b414b", "hosts": [ { "ip": "151.101.206.172", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 80 ] }, { "ip": "20.190.159.23", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.206.138", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.155.119", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.71.95", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "108.177.15.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "64.233.167.101", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.168.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "beacons.gcp.gvt2.com", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.16.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "23.40.0.178", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "fpdownload.macromedia.com", "inaddrarpa": "", "ports": [ 80 ] }, { "ip": "172.253.157.95", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "85.114.128.127", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 53 ] } ], "domains": [ { "domain": "j.maxmind.com", "ip": "" }, { "domain": "fpdownload.macromedia.com", "ip": "23.40.0.178" }, { "domain": "beacons.gcp.gvt2.com", "ip": "142.251.168.94" } ], "tcp": [ { "src": "192.168.122.139", "sport": 49755, "dst": "172.253.157.95", "dport": 443, "offset": 807, "time": 3.785372018814087 }, { "src": "192.168.122.139", "sport": 49788, "dst": "23.40.0.178", "dport": 80, "offset": 1644, "time": 9.55962586402893 }, { "src": "192.168.122.139", "sport": 49789, "dst": "142.251.168.138", "dport": 443, "offset": 3799, "time": 9.846351861953735 }, { "src": "192.168.122.139", "sport": 49754, "dst": "142.251.16.94", "dport": 443, "offset": 7721, "time": 9.885510921478271 }, { "src": "192.168.122.139", "sport": 49790, "dst": "142.251.168.94", "dport": 443, "offset": 9445, "time": 10.034690856933594 }, { "src": "192.168.122.139", "sport": 49757, "dst": "64.233.167.101", "dport": 443, "offset": 18131, "time": 23.777045011520386 }, { "src": "192.168.122.139", "sport": 49758, "dst": "108.177.15.94", "dport": 443, "offset": 18272, "time": 24.64565896987915 }, { "src": "192.168.122.139", "sport": 49759, "dst": "74.125.71.95", "dport": 443, "offset": 18413, "time": 24.77112579345703 }, { "src": "192.168.122.139", "sport": 49760, "dst": "74.125.71.95", "dport": 443, "offset": 18554, "time": 24.888672828674316 }, { "src": "192.168.122.139", "sport": 49761, "dst": "74.125.71.95", "dport": 443, "offset": 18695, "time": 24.93466281890869 }, { "src": "192.168.122.139", "sport": 49756, "dst": "142.251.155.119", "dport": 443, "offset": 18977, "time": 25.122435808181763 }, { "src": "192.168.122.139", "sport": 49763, "dst": "74.125.206.138", "dport": 443, "offset": 19118, "time": 25.841003894805908 }, { "src": "192.168.122.139", "sport": 49764, "dst": "74.125.206.138", "dport": 443, "offset": 19259, "time": 25.88786482810974 }, { "src": "192.168.122.139", "sport": 49792, "dst": "23.220.72.135", "dport": 80, "offset": 22564, "time": 37.40150284767151 } ], "udp": [ { "src": "192.168.122.139", "sport": 62951, "dst": "85.114.128.127", "dport": 53, "offset": 261, "time": 0.018150806427001953 }, { "src": "192.168.122.139", "sport": 62952, "dst": "85.114.128.127", "dport": 53, "offset": 339, "time": 0.025032997131347656 }, { "src": "192.168.122.139", "sport": 62953, "dst": "85.114.128.127", "dport": 53, "offset": 417, "time": 0.07369399070739746 }, { "src": "192.168.122.139", "sport": 62954, "dst": "85.114.128.127", "dport": 53, "offset": 495, "time": 0.07732892036437988 }, { "src": "192.168.122.139", "sport": 62955, "dst": "85.114.128.127", "dport": 53, "offset": 573, "time": 0.08192992210388184 }, { "src": "192.168.122.139", "sport": 62956, "dst": "85.114.128.127", "dport": 53, "offset": 651, "time": 0.08451581001281738 }, { "src": "192.168.122.139", "sport": 62957, "dst": "85.114.128.127", "dport": 53, "offset": 729, "time": 0.10692095756530762 }, { "src": "192.168.122.139", "sport": 62958, "dst": "85.114.128.127", "dport": 53, "offset": 948, "time": 6.280637979507446 }, { "src": "192.168.122.139", "sport": 62959, "dst": "85.114.128.127", "dport": 53, "offset": 1026, "time": 9.291274785995483 }, { "src": "192.168.122.139", "sport": 64046, "dst": "192.168.122.1", "dport": 53, "offset": 1104, "time": 9.453269004821777 }, { "src": "192.168.122.139", "sport": 54625, "dst": "192.168.122.1", "dport": 53, "offset": 3255, "time": 9.820788860321045 }, { "src": "192.168.122.139", "sport": 51339, "dst": "192.168.122.1", "dport": 53, "offset": 8973, "time": 9.973622798919678 }, { "src": "192.168.122.139", "sport": 61593, "dst": "192.168.122.1", "dport": 53, "offset": 19400, "time": 37.29881000518799 }, { "src": "192.168.122.139", "sport": 61594, "dst": "239.255.255.250", "dport": 1900, "offset": 24120, "time": 66.75378680229187 }, { "src": "192.168.122.139", "sport": 61595, "dst": "239.255.255.250", "dport": 1900, "offset": 26710, "time": 186.75535678863525 } ], "icmp": [], "http": [ { "count": 1, "host": "fpdownload.macromedia.com", "port": 80, "data": "GET /get/flashplayer/update/current/install/install_all_win_cab_64_ax_sgn.z HTTP/1.1\r\nUser-Agent: Flash Player Seed/3.0\r\nHost: fpdownload.macromedia.com\r\nCache-Control: no-cache\r\n\r\n", "uri": "http://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_cab_64_ax_sgn.z", "body": "", "path": "/get/flashplayer/update/current/install/install_all_win_cab_64_ax_sgn.z", "user-agent": "Flash Player Seed/3.0", "version": "1.1", "method": "GET", "first_seen": 1782746114.368686 } ], "dns": [ { "request": "j.maxmind.com", "type": "A", "answers": [ { "type": "NXDOMAIN", "data": "" } ], "first_seen": 1782746104.80906 }, { "request": "fpdownload.macromedia.com", "type": "A", "answers": [ { "type": "CNAME", "data": "fpdownload.macromedia.com.edgekey.net" }, { "type": "CNAME", "data": "e13914.dscd.akamaiedge.net" }, { "type": "A", "data": "23.40.0.178" } ], "first_seen": 1782746114.262329 }, { "request": "beacons.gcp.gvt2.com", "type": "A", "answers": [ { "type": "CNAME", "data": "beacons-handoff.gcp.gvt2.com" }, { "type": "A", "data": "142.251.168.94" } ], "first_seen": 1782746114.782683 } ], "smtp": [], "irc": [], "dead_hosts": [ [ "20.190.159.23", 443 ], [ "151.101.206.172", 80 ] ] }, "url_analysis": {}, "procmemory": [], "signatures": [ { "name": "queries_keyboard_layout", "description": "Queries the keyboard layout", "categories": [ "location_discovery" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 3236, "cid": 12862 }, { "type": "call", "pid": 2144, "cid": 21 } ], "new_data": [], "alert": false, "families": [] }, { "name": "queries_locale_api", "description": "Queries the computer locale (possible geofencing)", "categories": [ "location_discovery", "geofence" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 3236, "cid": 8218 }, { "type": "call", "pid": 3236, "cid": 9521 }, { "type": "call", "pid": 3236, "cid": 9525 }, { "type": "call", "pid": 3236, "cid": 9656 }, { "type": "call", "pid": 3236, "cid": 12340 } ], "new_data": [], "alert": false, "families": [] }, { "name": "stealth_timeout", "description": "Possible date expiration check, exits too soon after checking local time", "categories": [ "stealth" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "process": "invoice_231836298371.exe, PID 3236" }, { "type": "call", "pid": 3236, "cid": 12872 } ], "new_data": [], "alert": false, "families": [] }, { "name": "language_check_registry", "description": "Checks system language via registry key (possible geofencing)", "categories": [ "location_discovery", "geofence" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US" }, { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US" } ], "new_data": [], "alert": false, "families": [] }, { "name": "privilege_elevation_check", "description": "Queries process token information to check for Administrator privileges or UAC elevation status", "categories": [ "discovery", "privilege_escalation" ], "severity": 2, "weight": 1, "confidence": 80, "references": [], "data": [ { "type": "call", "pid": 3236, "cid": 507 }, { "type": "call", "pid": 3236, "cid": 696 }, { "type": "call", "pid": 3236, "cid": 872 }, { "type": "call", "pid": 3236, "cid": 947 }, { "type": "call", "pid": 3236, "cid": 1266 }, { "type": "call", "pid": 3236, "cid": 1343 }, { "type": "call", "pid": 3236, "cid": 1420 }, { "type": "call", "pid": 3236, "cid": 1497 }, { "type": "call", "pid": 3236, "cid": 1574 }, { "type": "call", "pid": 3236, "cid": 1682 }, { "type": "call", "pid": 3236, "cid": 1725 }, { "type": "call", "pid": 3236, "cid": 1744 }, { "type": "call", "pid": 3236, "cid": 1826 }, { "type": "call", "pid": 3236, "cid": 5435 }, { "type": "call", "pid": 3236, "cid": 5462 }, { "type": "call", "pid": 3236, "cid": 5489 }, { "type": "call", "pid": 3236, "cid": 5516 }, { "type": "call", "pid": 3236, "cid": 5543 }, { "type": "call", "pid": 3236, "cid": 5698 }, { "type": "call", "pid": 3236, "cid": 5754 }, { "type": "call", "pid": 3236, "cid": 5784 }, { "type": "call", "pid": 3236, "cid": 5857 }, { "type": "call", "pid": 3236, "cid": 6569 }, { "type": "call", "pid": 3236, "cid": 6614 }, { "type": "call", "pid": 3236, "cid": 6744 }, { "type": "call", "pid": 3236, "cid": 6757 }, { "type": "call", "pid": 3236, "cid": 6771 }, { "type": "call", "pid": 3236, "cid": 6858 }, { "type": "call", "pid": 3236, "cid": 7155 }, { "type": "call", "pid": 3236, "cid": 7189 }, { "type": "call", "pid": 3236, "cid": 7615 }, { "type": "call", "pid": 3236, "cid": 7693 }, { "type": "call", "pid": 3236, "cid": 7721 }, { "type": "call", "pid": 3236, "cid": 7796 }, { "type": "call", "pid": 3236, "cid": 7844 }, { "type": "call", "pid": 3236, "cid": 7917 }, { "type": "call", "pid": 3236, "cid": 7985 }, { "type": "call", "pid": 3236, "cid": 8055 }, { "type": "call", "pid": 3236, "cid": 8150 }, { "type": "call", "pid": 3236, "cid": 8243 }, { "type": "call", "pid": 3236, "cid": 8258 }, { "type": "call", "pid": 3236, "cid": 8277 }, { "type": "call", "pid": 3236, "cid": 8333 }, { "type": "call", "pid": 3236, "cid": 8458 }, { "type": "call", "pid": 3236, "cid": 8475 }, { "type": "call", "pid": 3236, "cid": 8572 }, { "type": "call", "pid": 3236, "cid": 8587 }, { "type": "call", "pid": 3236, "cid": 8606 }, { "type": "call", "pid": 3236, "cid": 8633 }, { "type": "call", "pid": 3236, "cid": 8657 }, { "type": "call", "pid": 3236, "cid": 8676 }, { "type": "call", "pid": 3236, "cid": 8695 }, { "type": "call", "pid": 3236, "cid": 8721 }, { "type": "call", "pid": 3236, "cid": 8741 }, { "type": "call", "pid": 3236, "cid": 8777 }, { "type": "call", "pid": 3236, "cid": 8866 }, { "type": "call", "pid": 3236, "cid": 8884 }, { "type": "call", "pid": 3236, "cid": 8946 }, { "type": "call", "pid": 3236, "cid": 8972 }, { "type": "call", "pid": 3236, "cid": 9067 }, { "type": "call", "pid": 3236, "cid": 9120 }, { "type": "call", "pid": 3236, "cid": 9252 }, { "type": "call", "pid": 3236, "cid": 9300 }, { "type": "call", "pid": 3236, "cid": 9344 }, { "type": "call", "pid": 3236, "cid": 9392 }, { "type": "call", "pid": 3236, "cid": 9418 }, { "type": "call", "pid": 3236, "cid": 9594 }, { "type": "call", "pid": 3236, "cid": 9673 }, { "type": "call", "pid": 3236, "cid": 9715 }, { "type": "call", "pid": 3236, "cid": 9821 }, { "type": "call", "pid": 3236, "cid": 10745 }, { "type": "call", "pid": 3236, "cid": 10799 }, { "type": "call", "pid": 3236, "cid": 10851 }, { "type": "call", "pid": 3236, "cid": 11377 }, { "type": "call", "pid": 3236, "cid": 11661 }, { "type": "call", "pid": 3236, "cid": 12155 }, { "type": "call", "pid": 3236, "cid": 12210 }, { "type": "call", "pid": 3236, "cid": 12217 }, { "type": "call", "pid": 3236, "cid": 12271 } ], "new_data": [], "alert": false, "families": [] }, { "name": "mountpoints_volume_discovery", "description": "Queries the mount points and then resolves volume paths to enumerate storage devices", "categories": [ "discovery", "ransomware", "wiper" ], "severity": 2, "weight": 1, "confidence": 20, "references": [], "data": [ { "type": "call", "pid": 3236, "cid": 5636 }, { "type": "call", "pid": 3236, "cid": 5641 }, { "type": "call", "pid": 3236, "cid": 5649 }, { "type": "call", "pid": 3236, "cid": 5701 }, { "type": "call", "pid": 3236, "cid": 5705 }, { "type": "call", "pid": 3236, "cid": 5711 }, { "type": "call", "pid": 3236, "cid": 5720 }, { "type": "call", "pid": 3236, "cid": 5724 }, { "type": "call", "pid": 3236, "cid": 5729 }, { "type": "call", "pid": 3236, "cid": 5736 }, { "type": "call", "pid": 3236, "cid": 5740 }, { "type": "call", "pid": 3236, "cid": 5745 }, { "type": "call", "pid": 3236, "cid": 8234 }, { "type": "call", "pid": 3236, "cid": 8563 }, { "type": "call", "pid": 3236, "cid": 12228 } ], "new_data": [], "alert": false, "families": [] }, { "name": "creates_suspended_process", "description": "Creates a process in a suspended state, likely for injection", "categories": [ "injection", "process hollowing" ], "severity": 2, "weight": 1, "confidence": 50, "references": [], "data": [ { "type": "call", "pid": 3236, "cid": 12868 } ], "new_data": [], "alert": false, "families": [] }, { "name": "resumethread_remote_process", "description": "Resumed a thread in another process", "categories": [ "injection", "unpacking" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "thread_resumed": "Process invoice_231836298371.exe with process ID 3236 resumed a thread in another process with the process ID 3760" }, { "type": "call", "pid": 3236, "cid": 12656 }, { "type": "call", "pid": 3236, "cid": 12869 } ], "new_data": [], "alert": false, "families": [] }, { "name": "network_http", "description": "Performs some HTTP requests", "categories": [ "network" ], "severity": 2, "weight": 1, "confidence": 30, "references": [], "data": [ { "url": "http://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_cab_64_ax_sgn.z" } ], "new_data": [], "alert": false, "families": [] }, { "name": "pe_deep_entrypoint", "description": "The PE entry point is located unusually far into section, indicative of an appended packer stub that jumps to the original entry point (OEP)", "categories": [ "static", "packer", "evasion", "anomaly" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "anomaly_description": "The PE entry point (0xa3b6) is located 81.4% deep into the '.text' section. Normal compilers place the EP near the beginning. This strongly indicates an appended packer stub or shellcode.", "entry_point": "0xa3b6", "section_name": ".text", "section_virtual_address": "0x1000", "section_virtual_size": "0xb571", "offset_bytes": "0x93b6", "depth_percentage": 81.41, "section_entropy": 6.71 } ], "new_data": [], "alert": false, "families": [] }, { "name": "packer_unknown_pe_section_name", "description": "The binary contains an unknown PE section name indicative of packing", "categories": [ "packer" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "unknown section": { "name": ".itext", "raw_address": "0x0001e400", "virtual_address": "0x00020000", "virtual_size": "0x0000084d", "size_of_data": "0x00000a00", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "4.82" } } ], "new_data": [], "alert": false, "families": [] }, { "name": "discover_registry_mount_points", "description": "Queries registry mount points to identify historical or connected removable/network drives", "categories": [ "discovery", "ransomware", "wiper" ], "severity": 2, "weight": 1, "confidence": 20, "references": [], "data": [ { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\" } ], "new_data": [], "alert": false, "families": [] }, { "name": "injection_rwx", "description": "Creates RWX memory", "categories": [ "injection" ], "severity": 2, "weight": 1, "confidence": 50, "references": [], "data": [ { "type": "call", "pid": 3236, "cid": 30 } ], "new_data": [], "alert": false, "families": [] }, { "name": "uses_windows_utilities", "description": "Uses Windows utilities for basic functionality", "categories": [ "command", "lateral" ], "severity": 2, "weight": 1, "confidence": 80, "references": [], "data": [ { "command": "\"C:\\Windows\\system32\\cmd.exe\"" } ], "new_data": [], "alert": false, "families": [] }, { "name": "hardware_id_profiling", "description": "Queries the Volume Serial Number or Physical Hardware ID, possibly for anti-sandbox, victim profiling or environmental keying", "categories": [ "evasion", "recon", "anti-sandbox" ], "severity": 3, "weight": 4, "confidence": 80, "references": [], "data": [ { "type": "call", "pid": 3236, "cid": 12609 }, { "type": "call", "pid": 3236, "cid": 12614 }, { "type": "call", "pid": 3236, "cid": 12619 } ], "new_data": [], "alert": false, "families": [] }, { "name": "direct_hdd_access", "description": "Attempted to write to a harddisk volume", "categories": [ "bootkit", "rootkit", "wiper" ], "severity": 3, "weight": 4, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 3236, "cid": 200 } ], "new_data": [], "alert": false, "families": [] }, { "name": "physical_drive_access", "description": "Attempted to write directly to a physical drive", "categories": [ "bootkit", "rootkit", "wiper" ], "severity": 3, "weight": 4, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 3236, "cid": 200 }, { "type": "call", "pid": 3236, "cid": 254 } ], "new_data": [], "alert": false, "families": [] }, { "name": "creates_nullvalue", "description": "Creates a registry key or value with NUL characters to avoid detection with regedit", "categories": [ "stealth" ], "severity": 3, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 3236, "cid": 214 }, { "keyval": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Google Update\\x00\\x202e\\x2764\\x695c" } ], "new_data": [], "alert": false, "families": [] }, { "name": "infostealer_cookies", "description": "Touches a file containing cookies, possibly for information gathering", "categories": [ "infostealer" ], "severity": 3, "weight": 4, "confidence": 100, "references": [], "data": [], "new_data": [ { "process": { "process_name": "invoice_231836298371.exe", "process_id": 3236 }, "signs": [ { "type": "file", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\INetCookies" } ] } ], "alert": false, "families": [] }, { "name": "unbacked_api_resolution", "description": "Manually resolves API addresses from dynamically allocated (unbacked) memory, indicative of shellcode or an unpacker", "categories": [ "evasion", "shellcode", "fileless" ], "severity": 3, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 3236, "cid": 36 }, { "type": "call", "pid": 3236, "cid": 37 }, { "type": "call", "pid": 3236, "cid": 38 }, { "type": "call", "pid": 3236, "cid": 39 }, { "unbacked_api_resolutions": [ "invoice_231836298371.exe resolved API 'lstrcmpiA' from unbacked caller 0x03a54699", "invoice_231836298371.exe resolved API 'IsCharAlphaNumericA' from unbacked caller 0x03a54616", "invoice_231836298371.exe resolved API 'IsCharAlphaNumericW' from unbacked caller 0x03a545ee", "invoice_231836298371.exe resolved API 'IsCharLowerA' from unbacked caller 0x03a5463e" ] } ], "new_data": [], "alert": false, "families": [] }, { "name": "unbacked_memory_protection_alteration", "description": "Altered memory protections from dynamically allocated (unbacked) memory, indicative of self-modifying shellcode or memory patching", "categories": [ "evasion", "stealth", "fileless", "shellcode" ], "severity": 3, "weight": 1, "confidence": 20, "references": [], "data": [ { "type": "call", "pid": 3236, "cid": 35 }, { "type": "call", "pid": 3236, "cid": 96 }, { "type": "call", "pid": 3236, "cid": 97 }, { "type": "call", "pid": 3236, "cid": 103 }, { "unbacked_memory_protection_alterations": [ "invoice_231836298371.exe changed memory protection at 0x00439000 to 0x00000004 from unbacked caller 0x03a5447c", "invoice_231836298371.exe changed memory protection at 0x00400000 to 0x00000040 from unbacked caller 0x03a5665c", "invoice_231836298371.exe changed memory protection at 0x00400000 to 0x00000004 from unbacked caller 0x03a567b5", "invoice_231836298371.exe changed memory protection at 0x00400000 to 0x00000040 from unbacked caller 0x03a56ae5" ] } ], "new_data": [], "alert": false, "families": [] }, { "name": "persistence_autorun", "description": "Installs itself for autorun at Windows startup", "categories": [ "persistence" ], "severity": 3, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 3236, "cid": 214 }, { "type": "call", "pid": 3236, "cid": 6731 }, { "type": "call", "pid": 3236, "cid": 7146 }, { "type": "call", "pid": 3236, "cid": 7788 }, { "type": "call", "pid": 3236, "cid": 8853 }, { "type": "call", "pid": 3236, "cid": 9244 }, { "type": "call", "pid": 3236, "cid": 9818 }, { "type": "call", "pid": 3236, "cid": 10742 }, { "type": "call", "pid": 3236, "cid": 11876 }, { "type": "call", "pid": 3236, "cid": 11877 }, { "type": "call", "pid": 3236, "cid": 11878 }, { "type": "call", "pid": 3236, "cid": 11879 }, { "type": "call", "pid": 3236, "cid": 11963 }, { "type": "call", "pid": 3236, "cid": 11964 }, { "type": "call", "pid": 3236, "cid": 11965 }, { "type": "call", "pid": 3236, "cid": 11966 }, { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Google Update\\x00\\x202e\\x2764\\x695c" }, { "data": "\"C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\GoogleUpdate.exe\" >" } ], "new_data": [], "alert": false, "families": [] }, { "name": "stealth_file", "description": "Creates a hidden or system file", "categories": [ "stealth" ], "severity": 3, "weight": 1, "confidence": 50, "references": [], "data": [ { "type": "call", "pid": 3236, "cid": 194 }, { "type": "call", "pid": 3236, "cid": 199 }, { "type": "call", "pid": 3236, "cid": 253 }, { "type": "call", "pid": 3236, "cid": 257 }, { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\GoogleUpdate.exe" }, { "file": "\\Device\\HarddiskVolume2\\Users\\Rajesh\\AppData\\Local\\Google\\Desktop\\Install\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\\\x2764\\x2278\\x22d9\\\\x2c22\\x2620\\x2368\\\\x202e\\xfbf9\\xe5b\\{70b7bfc4-309c-21bb-bc06-3207a681ab5b}\\@" }, { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\msimg32.dll" }, { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\InstallFlashPlayer.exe" } ], "new_data": [], "alert": false, "families": [] }, { "name": "procmem_yara", "description": "Yara detections observed in process dumps, payloads or dropped files", "categories": [ "malware" ], "severity": 3, "weight": 4, "confidence": 100, "references": [], "data": [ { "Hit": "PID 3236 triggered the Yara rule 'INDICATOR_EXE_Packed_aPLib' with data '['{ 41 50 33 32 18 00 00 00 E4 41 00 00 D9 1E 80 0E 00 7E 00 00 E3 50 DE 1E 4D 38 5A 90 }', '{ 41 50 33 32 18 00 00 00 9C 53 00 00 0E 34 40 EA 00 BE 00 00 6B BA 10 7E 4D 38 5A 90 }', '{ 41 50 33 32 18 00 00 00 71 AF 00 00 CF 9E A0 D2 A0 5C 01 00 62 01 E2 A2 4D 38 5A 90 }']'" }, { "Hit": "PID 3236 triggered the Yara rule 'INDICATOR_EXE_Packed_aPLib' with data '['{ 41 50 33 32 18 00 00 00 E4 41 00 00 D9 1E 80 0E 00 7E 00 00 E3 50 DE 1E 4D 38 5A 90 }', '{ 41 50 33 32 18 00 00 00 9C 53 00 00 0E 34 40 EA 00 BE 00 00 6B BA 10 7E 4D 38 5A 90 }', '{ 41 50 33 32 18 00 00 00 71 AF 00 00 CF 9E A0 D2 A0 5C 01 00 62 01 E2 A2 4D 38 5A 90 }']'" } ], "new_data": [], "alert": false, "families": [] } ], "malscore": 9.0, "ttps": [ { "signature": "hardware_id_profiling", "ttps": [ "T1082" ], "mbcs": [ "E1082", "E1480.001" ] }, { "signature": "direct_hdd_access", "ttps": [ "T1542.003", "T1014", "T1542" ], "mbcs": [ "OB0006", "E1014", "F0013" ] }, { "signature": "physical_drive_access", "ttps": [ "T1542.003", "T1014", "T1542" ], "mbcs": [ "OB0006", "E1014", "F0013" ] }, { "signature": "privilege_elevation_check", "ttps": [ "T1033", "T1082" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "creates_nullvalue", "ttps": [ "T1562.006", "T1112", "T1562" ], "mbcs": [ "OB0006", "E1112", "F0006", "OC0008", "C0036" ] }, { "signature": "mountpoints_volume_discovery", "ttps": [ "T1082" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "infostealer_cookies", "ttps": [ "T1539" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "creates_suspended_process", "ttps": [ "T1055" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "resumethread_remote_process", "ttps": [ "T1055" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "unbacked_api_resolution", "ttps": [ "T1129", "T1055" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "unbacked_memory_protection_alteration", "ttps": [ "T1055" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "persistence_autorun", "ttps": [ "T1547.001", "T1112", "T1547" ], "mbcs": [ "OB0012", "E1112", "F0012" ] }, { "signature": "stealth_file", "ttps": [ "T1564.001", "T1564" ], "mbcs": [ "OB0006", "F0005", "OC0001", "C0016" ] }, { "signature": "network_http", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "pe_deep_entrypoint", "ttps": [ "T1027" ], "mbcs": [ "E1027" ] }, { "signature": "packer_unknown_pe_section_name", "ttps": [ "T1027.002", "T1027" ], "mbcs": [ "OB0001", "OB0002", "OB0006", "F0001" ] }, { "signature": "procmem_yara", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "discover_registry_mount_points", "ttps": [ "T1082" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "uses_windows_utilities", "ttps": [ "T1202" ], "mbcs": [ "OB0009", "E1203.m06" ] } ], "malstatus": "Malicious" }